onboarding-respects-modal is a dependency confusion proof-of-concept package published to the public npm registry by the account r0binak and self-labeled "Security research PoC - Dependency Confusion Hunter". It was published at the artificially high version 999.99.99, a floating-version bait used to outrank a private-registry package of the same name so that build pipelines preferring the highest available version resolve and install this public package instead. It belongs to the same r0binak dependency-confusion campaign as carousel-controller-mixin (MAL-2026-5856) and setka-editor (MAL-2026-5859). Packages in this campaign declare both preinstall and postinstall hooks that run callback.js on every npm install; the script collects installer identity and environment data (username, uid/gid, hostname, homedir, cwd, platform, Node version, local network interfaces, and the external IP via api.ipify.org) and probes for CI/cloud credential environment variables (AWSACCESSKEYID, GITHUBTOKEN, NPMTOKEN, DOCKERPASSWORD) plus GitHub Actions context. The collected data is exfiltrated to a hardcoded Discord webhook and via a DNS side-channel (base64-encoded host data prepended as a subdomain and resolved with dns.resolve()) to defeat egress HTTP filtering on CI networks. Regardless of the stated research intent, install-time exfiltration of host data and credential-presence flags is harmful to any pipeline that resolves this name.
-= Per source details. Do not edit below this line.=-
Package name 'onboarding-respects-modal' published at version 999.99.99 to win dependency resolution against a private internal package of the same name. package.json declares both preinstall and postinstall lifecycle hooks that execute callback.js, which collects the installer's user info (username, uid/gid, homedir, shell), hostname, local and external IPs (via https://api.ipify.org), CI detection, and the entire process.env object with no redaction (the source comments explicitly note no masking), then POSTs the JSON payload over plain HTTP to the hardcoded bare-IP endpoint http://132.243.20.244:8000/api/collect. Any installer pulling this package — particularly in CI — leaks every secret in the job environment (GITHUBTOKEN, NPMTOKEN, AWS_*, etc.) to the attacker-controlled host. The README's 'security research PoC' label does not change installer impact: the package is live on the public registry and the exfiltration fires unconditionally on npm install.
Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.
{
"malicious-packages-origins": [
{
"source": "amazon-inspector",
"sha256": "c87cbbbfaff388bddc7f9811089bcfaf952a54374561768196669951b1da0ffd",
"id": "IN-MAL-2026-007103",
"import_time": "2026-06-22T16:36:58.193847792Z",
"modified_time": "2026-06-22T16:26:07Z",
"versions": [
"999.99.99"
]
},
{
"source": "ghsa-malware",
"sha256": "23aa3d8fc5ef766ce3089eecdc9979db0475a23ba4a58243e687ed70f5cf4926",
"id": "GHSA-7mh9-j98m-ccvj",
"import_time": "2026-06-23T07:33:18.91502082Z",
"modified_time": "2026-06-23T06:10:52Z",
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
}
]
}
]
}
]
}"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/onboarding-respects-modal/MAL-2026-6258.json"
[
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506",
"name": "Embedded Malicious Code"
}
]
{
"package_integrity": [
{
"hashes": {
"sha512_sri": "sha512-B9WhlSrX4cZGQjV5nSnfaj2QCcRulz6/7n3EUhFw3kGWCwkzNbdw/SA/WdBjWsxi2L2XurP8vO/ztB+c9ev9eg==",
"sha1": "7b4ba7b7c9fd55aaeafbd04664848a904662a697"
},
"filename": "onboarding-respects-modal-999.99.99.tgz"
}
],
"evidence_files": [
{
"path": "callback.js",
"sha256": "bd5950246476a2e8e0aa7afa2b3bbab140a79d50ee14e3d2a803e88ea0f62b8c",
"tlsh": "3d8195e915f6681401e76b85a81f540a717ae0433a0bfda0fe6c42116fc6b7c93f1aa9"
},
{
"path": "package.json",
"sha256": "7f28f9af709a6e787ec957fb4e8ccf80938da88f841964eae2e52982d2b343c9",
"tlsh": "1ee0686079295a333cd9cbbf0536a2662010dd0bd51c3c093b970198b7ce7764abb2af"
}
]
}