npm · Malicious package advisory
Malwarefkext-browser-min
MAL-2026-10183
Malicious code in fkext-browser-min (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (1e56088bc1216133ce76ad6026b73c2fd6977f9c64ec1c2ab38234dc90403b2c) The package runs vishu.js as a preinstall lifecycle hook on `npm install`. That script fetches the machine's public IP from api.ipify.org, collects os.hostname() and GitHub Actions / CI environment variables (GITHUB_*), and transmits them as query parameters to a hardcoded webhook.site collector URL over HTTPS. It additionally performs a DNS lookup of a subdomain of the form `ping-<hostname>.<collaborator>.oastify.com`, providing an out-of-band exfiltration channel (Burp Collaborator style) that bypasses HTTP egress filters. There is no legitimate functionality shipped alongside this — the package's only install-time effect is host reconnaissance and beacon-out to attacker-controlled sinks. This is a dependency-confusion / bug-bounty-style beacon against installer/CI environments.
Compromised versions (1)
- 1.0.14
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.