-= Per source details. Do not edit below this line.=-
package.json declares a preinstall hook that runs index.js on npm install. index.js collects host and user identity data — hostname, platform, arch, home directory, username/uid/gid/shell, OS info, cwd, plus the output of whoami and id — and POSTs the JSON to a hardcoded Burp Collaborator-style OAST subdomain at s70v1tcmg3npuykzzok5t0tdz45vtlha.oastify.com/detox56. The package ships no library code matching its advertised MFA/React purpose; the install-time beacon is the package's only functional behavior. Empty author/description metadata and the mismatch between the package name and its contents are consistent with a dependency-confusion or namespace-squat placeholder targeting an internal package name.
The OpenSSF Package Analysis project identified 'airkey-mfa-react' @ 36.1.1 (npm) as malicious.
It is considered malicious because:
{
"malicious-packages-origins": [
{
"modified_time": "2026-07-08T16:30:56Z",
"source": "ossf-package-analysis",
"import_time": "2026-07-08T17:01:26.23242759Z",
"sha256": "aabfcc531d8f0174d9ba67b4ff82625500d953dfa0016b3e7bd95df973d5509f",
"versions": [
"36.1.1"
]
},
{
"modified_time": "2026-07-08T17:31:16Z",
"id": "IN-MAL-2026-008173",
"source": "amazon-inspector",
"import_time": "2026-07-08T17:40:20.029892364Z",
"sha256": "03026bf6133183ffaba772b4b1f585bab0a42ab87823a0a2375a7f1cba08661e",
"versions": [
"20.0.1"
]
}
]
}{
"package_integrity": [
{
"filename": "airkey-mfa-react-20.0.1.tgz",
"hashes": {
"sha1": "a6bd164a56a490e40ff30f779d0dfcacba617be8",
"sha512_sri": "sha512-No/49mPptnhlI2bn2Kl+I7nWVv0KgURwhpV4b9GWBhdz+3eDyqZm407yH0pMTU0bow40l5CBddwWZ6a5Ud1D0Q=="
}
}
],
"evidence_files": [
{
"path": "index.js",
"tlsh": "3b5141c515f65a251ba7b8494a4f9402b227e0033606de55bfcc8740af9537c9bf0bf6",
"sha256": "97807c86a507cbabc4bbb48a63d172bf5119a7cbf9b6e17284daf3146ca1cb78"
},
{
"path": "package.json",
"tlsh": "13d05e344d21652329c102a6082b948b72a18e2b14047c08a38b582c559e27798ff32d",
"sha256": "8a539c996ca4a843a3ce4e4cc86a5aabc9777eb28ecf49a54a9f334a11ad0fea"
}
]
}
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/airkey-mfa-react/MAL-2026-6991.json"
[
{
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506",
"name": "Embedded Malicious Code"
}
]