npm · Malicious package advisory
Malwaredependency_confusions
MAL-2026-10085
Malicious code in dependency_confusions (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (2c5eab14c78cbbb6e4b580162a242817f899f6529485cb7f9197b6dfe05a3413) package.json declares a postinstall hook that runs index.js on npm install. On execution, index.js collects the installer's OS username (os.userInfo()), hostname (os.hostname()), current working directory, local IPv4 address, and platform (os.platform()), then POSTs the collected fields as JSON to a hardcoded webhook.site endpoint (https://webhook.site/264e1903-28ea-48ea-8c55-be58c5a76791). Fires automatically as a lifecycle hook without user consent, matching the classic dependency-confusion reconnaissance beacon: the exfiltrated username/hostname/cwd/localIP reveal internal build hosts and internal package namespaces that an attacker uses to target follow-on dependency-confusion attacks against the victim's private registry.
Compromised versions (1)
- 99.9.9
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.