VYPR

npm · Malicious package advisory

Malware

fkext-browser-min

MAL-2026-10183

Malicious code in fkext-browser-min (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (1e56088bc1216133ce76ad6026b73c2fd6977f9c64ec1c2ab38234dc90403b2c)
The package runs vishu.js as a preinstall lifecycle hook on `npm install`. That script fetches the machine's public IP from api.ipify.org, collects os.hostname() and GitHub Actions / CI environment variables (GITHUB_*), and transmits them as query parameters to a hardcoded webhook.site collector URL over HTTPS. It additionally performs a DNS lookup of a subdomain of the form `ping-<hostname>.<collaborator>.oastify.com`, providing an out-of-band exfiltration channel (Burp Collaborator style) that bypasses HTTP egress filters. There is no legitimate functionality shipped alongside this — the package's only install-time effect is host reconnaissance and beacon-out to attacker-controlled sinks. This is a dependency-confusion / bug-bounty-style beacon against installer/CI environments.

Compromised versions (1)

  • 1.0.14

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.