-= Per source details. Do not edit below this line.=-
This package is a dependency-confusion payload published at an abnormally high version (9999.0.0) targeting an internal package name (pipo-sdk). The preinstall lifecycle hook runs node callback.js || true, which collects host identity — hostname, username, platform, and current working directory — via os.hostname(), os.userInfo(), and os.platform(), and transmits that data to pbnuwvwzmktaetcsjyyjlhncsf843r5a5.oast.fun by two channels: (a) a DNS resolution of a subdomain encoding the collected fields under the OAST domain, and (b) an HTTPS POST of a JSON body containing the same fields. Any host that runs npm install — for example, an internal build system whose resolver picks the public 9999.0.0 over a legitimate internal version — will silently beacon its identity to the third-party OAST endpoint. The bug-bounty / research framing in the package metadata does not change the installer-side behavior: unsolicited host-identity exfiltration fires on install regardless of consent, and the resolver-hijack version pin ensures the payload is preferred over legitimate internal artifacts.
{
"malicious-packages-origins": [
{
"sha256": "259159c0505b819905dcaf53172d98a4fd590a9ae1a40f87d2be4c1a7fdc4065",
"id": "IN-MAL-2026-008122",
"source": "amazon-inspector",
"import_time": "2026-07-08T17:01:32.32667648Z",
"modified_time": "2026-07-08T16:27:59Z",
"versions": [
"9999.0.0"
]
}
]
}{
"package_integrity": [
{
"filename": "pipo-sdk-9999.0.0.tgz",
"hashes": {
"sha1": "7e3049806c729d32cf2fae432cdd43c5deccb45b",
"sha512_sri": "sha512-Jn18oxQgW9we+3Tvl0CmbGiyLaBNhc013Z/bTJTtC48ZcIRNVEGCDR0chpNHoiUbqpDYRjuJ5ek5Zjd61TL+yA=="
}
}
],
"evidence_files": [
{
"path": "callback.js",
"tlsh": "2f3185e021f5a2a00bf2adc331eb11241126d219bd12e5d5b9dc03881fc97b84272ffc",
"sha256": "c5b39d3f2585bbb4df686867d46e661d0a4a11f11058e5fe27ca5d5cfc8844d8"
},
{
"path": "package.json",
"tlsh": "d8019e509d60883309f106d6447562007226ad2fec0efc0e73c6419cd7aeba6537d65e",
"sha256": "c5374b01384a083736e684319cd256db556518ff92a60c8f0df2b83274eb3e6c"
}
]
}
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/pipo-sdk/MAL-2026-7000.json"
[
{
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506",
"name": "Embedded Malicious Code"
}
]