-= Per source details. Do not edit below this line.=-
ai-gen-ai-opt-in@99.0.0 declares a postinstall hook (postinstall.js) that runs automatically on npm install. The script collects the installer's hostname (os.hostname()), OS username (os.userInfo().username), and public IP/geo/ISP data (fetched from ip-api.com over HTTPS), then encodes those values and issues a DNS lookup for a subdomain of an attacker-controlled Burp Collaborator-style callback host (p1r2d74iwjk057raam6myf7e258wzkt8i.oastify.com). This is a covert out-of-band DNS exfiltration channel that leaks installer identity and location data to a third party on every install, with no legitimate documented purpose.
{
"malicious-packages-origins": [
{
"sha256": "a34dae027378ca986d5e99aa7c9ffc5efe590e4697e1255970ce713f6d309e74",
"id": "IN-MAL-2026-008077",
"source": "amazon-inspector",
"import_time": "2026-07-08T17:01:28.747348442Z",
"modified_time": "2026-07-08T16:21:20Z",
"versions": [
"99.0.0"
]
}
]
}{
"evidence_files": [
{
"path": "postinstall.js",
"tlsh": "5921d0ae7672512409f21bc7620fd916786bf13325c2f8b079ac5380ef8157841b15fe",
"sha256": "4adbfd26be37cb08cc308e2aa23d2319462ad80247ffb54613fd33b30450eb68"
}
],
"package_integrity": [
{
"filename": "ai-gen-ai-opt-in-99.0.0.tgz",
"hashes": {
"sha1": "0210e66192a57ba9b6814280d633750063c0676c",
"sha512_sri": "sha512-S9Q4iI6b3os/9QutMknL68k2Crc4hJPpRdsmpASPndt2gsXzzzeLYilkPARPbSvWYO3oVkYrsLtUonXYlUKwnA=="
}
}
]
}
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/ai-gen-ai-opt-in/MAL-2026-6990.json"
[
{
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506",
"name": "Embedded Malicious Code"
}
]