VYPR

npm · Malicious package advisory

Malware

webrix-docs1

MAL-2026-10081

Malicious code in webrix-docs1 (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (20cdefe1415c5b5245f36b10ea0de9033433b479768c2cc785ad2742b9433fce)
The package declares a preinstall hook (`node index.js`) that fires automatically on `npm install`. The script requires `child_process`, `os`, `https`, and `http`, collects hostname, platform, arch, username/uid/gid, shell, home directory, CPU/memory stats, cwd, and the output of `whoami`/`id`, then POSTs the JSON payload to a hardcoded Burp Collaborator (oastify.com) subdomain at `https://c7kfuaf25guwigaz6r03kxet0k6bu3is.oastify.com/detox56`. The package has an empty description and empty author, presents no advertised functionality, and its name mimics the `webrix` project — consistent with dependency-confusion/typosquat recon. Installing the package directly leaks installer host and user identifiers to an attacker-controlled OAST endpoint.

Compromised versions (1)

  • 10.2.11

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.