VYPR

npm · Malicious package advisory

Malware

@broadpeak/smartlib-ad

MAL-2026-10178

Malicious code in @broadpeak/smartlib-ad (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (45df33d93645560085a7efe94308b0e3d846f30c829f2d2804bcdb1245626289)
package.json declares `preinstall: node index.js`, which fires automatically on `npm install`. index.js loads child_process/os/https, runs `whoami` and `id`, collects host identifiers (os.hostname, os.platform, os.arch, os.homedir, os.userInfo username/uid/gid/shell, os.type, os.release, process.cwd), and POSTs the collected JSON to a hardcoded Burp Collaborator (OAST) subdomain at https://3quc59n15cfcretszaygwfm9v01rphd6.oastify.com/detox56. The package ships no functional code beyond this beacon, has empty description/author, and is published under the `@broadpeak` scope — consistent with dependency-confusion reconnaissance impersonating an internal Broadpeak package. Installing this package leaks installer host/user identifiers to an attacker-controlled out-of-band endpoint and confirms code execution inside the target's build environment for follow-up targeting.

Compromised versions (1)

  • 24.1.10

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.