-= Per source details. Do not edit below this line.=-
package.json declares preinstall: node index.js, which runs automatically on every npm install. index.js collects os.homedir(), os.hostname(), os.userInfo().username, dns.getServers(), the package name, __dirname, and the full package.json contents, then HTTPS POSTs them as a querystring msg=... parameter to 2mpf1804g4gnfnvuqqx3om0cw32vqlea.oastify.com — a Burp Collaborator (oastify.com) subdomain used as an out-of-band recon/exfiltration channel. The package provides no legitimate functionality; its only on-install effect is to leak installer host identity and project metadata to an attacker-controlled endpoint. This is the canonical dependency-confusion / red-team recon beacon shape.
The OpenSSF Package Analysis project identified 'mds-webcomponents' @ 1.0.0 (npm) as malicious.
It is considered malicious because:
{
"malicious-packages-origins": [
{
"modified_time": "2026-02-16T15:20:34Z",
"source": "ossf-package-analysis",
"import_time": "2026-02-16T15:47:33.56876671Z",
"versions": [
"1.0.0"
],
"sha256": "d35cd4fc7e553141b386ee1a6a68e45c41d5ae73d8e013beafd90f6dfc4b1afd"
},
{
"modified_time": "2026-02-23T03:51:30Z",
"source": "amazon-inspector",
"import_time": "2026-02-23T04:19:44.88544304Z",
"versions": [
"1.0.0"
],
"sha256": "7f6007f508051582581cb5f52ff3494c5da6bb9ad1b6725fa6801b5c1b8e0825"
},
{
"modified_time": "2026-06-10T18:43:27Z",
"source": "amazon-inspector",
"import_time": "2026-06-10T19:23:48.94911186Z",
"id": "IN-MAL-2026-005297",
"versions": [
"1.0.2"
],
"sha256": "4b33015300fa18b6b3d2c2f1c0af0e77cbd9fa96c7af7befbe61a5422165824e"
}
]
}{
"package_integrity": [
{
"filename": "mds-webcomponents-1.0.2.tgz",
"hashes": {
"sha1": "9a5c7acf67e271e3cd2ced2cbe92ad66e65cae6c",
"sha512_sri": "sha512-NZgzQXOUEB6o/JyOhNRnB3pYvD92GOn/s/l1aVcnYEckfmz1JQ8VANC+bPIJ5qOfObt7YA681LmGlq5HoY7Ftg=="
}
}
],
"evidence_files": [
{
"tlsh": "3711bde8c2922360097989d0b8bdd04c16fee734b10e49e895cd07d547c2af410b39e1",
"path": "index.js",
"sha256": "7f93708b58a0ea2cf08690a1a9619f2c16deb2221be984d1dd765bdad139000c"
}
]
}
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/mds-webcomponents/MAL-2026-919.json"
[
{
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506"
}
]