npm · Malicious package advisory
Malwareuolcs-host-uol-anuncios-fe
MAL-2026-4185
Malicious code in uolcs-host-uol-anuncios-fe (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (16d9407c815fe2d5593da029ee806d455d15f451d1c84d3cd8d6a0a027821d64) Package claims an internal-scope corporate name (`uolcs-host-uol-anuncios-fe`) on public npm, version-pinned to 99.99.99 — the canonical dependency-confusion shape designed to win resolution against an internal package of the same name in a target organization's CI. Both `preinstall` and `postinstall` hooks in package.json invoke `node./callback.js`, which reads `os.hostname()` and `os.platform()`, embeds them as a subdomain label (`uolci-<hostname>-<platform>.d86r3dv5vn81lvohffp0131g8kdx9mz3c.oast.pro`), and issues a DNS A lookup. The destination `oast.pro` is the interactsh out-of-band interaction listener; the DNS query itself is the exfiltration channel, capturing the installer's hostname and OS at the listener owned by whoever controls that token. The README's claim of authorized research is not verifiable from package contents and does not change the installer-side effect: any CI host or developer machine that resolves this name from public npm leaks identity to a third party on `npm install`. ## Source: ossf-package-analysis (460c859985a6f675c559fa18b353ab35f370e5f1f60c9da53275358a1fdbaa29) The OpenSSF Package Analysis project identified 'uolcs-host-uol-anuncios-fe' @ 99.99.99 (npm) as malicious. It is considered malicious because: - The package communicates with a domain associated with malicious activity.
Compromised versions (1)
- 99.99.99
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.