-= Per source details. Do not edit below this line.=-
On npm install, the package's preinstall hook (node index.js) collects installer host identity — hostname, OS user info, output of whoami and id, shell, home directory, platform, and current working directory — and POSTs the JSON payload to a hardcoded Burp Collaborator subdomain at https://rsnchacyin4dnjv0oc8prrwn1e77vzjo.oastify.com/detox56. The package ships under an internal-looking scope (@vwfs-its) with empty author/description/license metadata and no functional code beyond the recon beacon, matching the shape of a targeted dependency-confusion attack: publish a public package that mirrors an internal name so that a misconfigured resolver in the target's build environment pulls the public copy and executes the payload during install.
The OpenSSF Package Analysis project identified '@vwfs-its/sf-sac-frontend' @ 20.1.1 (npm) as malicious.
It is considered malicious because:
The package communicates with a domain associated with malicious activity.
The package executes one or more commands associated with malicious behavior.
{
"malicious-packages-origins": [
{
"versions": [
"20.1.1"
],
"sha256": "2e08b57aacea0c5dcc883413eddf7737e7a45fa2c21bd5381d4e80235b3ef182",
"import_time": "2026-07-08T10:18:19.196233331Z",
"modified_time": "2026-07-08T10:15:48Z",
"source": "ossf-package-analysis"
},
{
"versions": [
"20.1.1"
],
"id": "IN-MAL-2026-009105",
"import_time": "2026-07-09T16:20:41.143819159Z",
"modified_time": "2026-07-09T15:29:03Z",
"sha256": "41fd62df844e3fba17cb6200b0c9f2ce518a630677ed96f4cf0349b2a3eb7a3d",
"source": "amazon-inspector"
}
]
}{
"evidence_files": [
{
"tlsh": "175170d505f65a241ba7b8494a4f9002b227e0033606ee55bfdc8340af8837c9bf0bf6",
"sha256": "54cc512c3973d1e03f71412df3c0149633838557fa1b4109fb50c6d808f4d097",
"path": "index.js"
},
{
"sha256": "7fae9272e81612a2bde42281e56717af3017cdb3db0931d47f7594d9dbe0bd6e",
"tlsh": "afd05e344e21553365c242a60c2aa44b72a18e2b04147c08b3cb5c2c81de6b798ff35c",
"path": "package.json"
}
],
"package_integrity": [
{
"filename": "sf-sac-frontend-20.1.1.tgz",
"hashes": {
"sha512_sri": "sha512-vIM83+cP8i/UEZ1AcZBTWxwK0BY2Y3R8D2YoxpLdcdsVXjTXG2UBI/zIv5f7u173wKOZCrRbK1jOWKwXqlhGUg==",
"sha1": "cb91d9fbe24e4a579521f39942689bf712d6edcf"
}
}
]
}
[
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
}
]
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@vwfs-its/sf-sac-frontend/MAL-2026-6972.json"