npm · Malicious package advisory
Malwarewebrix-docs
MAL-2026-10080
Malicious code in webrix-docs (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (bec06de7c68db5cdd90e4b05be057a583f1a2318174916af07ed86d52a5011fc) package.json declares `preinstall: node index.js`, which runs automatically on `npm install`. index.js collects host reconnaissance data — os.hostname(), os.userInfo() (username, uid, gid, homedir), process.platform, cwd, and the output of `whoami`/`id` spawned via child_process — and POSTs it as JSON to the hardcoded URL https://c7kfuaf25guwigaz6r03kxet0k6bu3is.oastify.com/detox56 (a Burp Collaborator / oastify.com out-of-band interaction subdomain). The package has an empty description and author, no library code, and a name that mimics the legitimate `webrix` UI library — consistent with a typosquat/dependency-confusion lure whose only purpose is the install-time beacon.
Compromised versions (1)
- 20.2.11
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.