VYPR

npm · Malicious package advisory

Malware

@asavie/i18n

MAL-2026-4265

Malicious code in @asavie/i18n (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (d803002ee95ea92bdcb3a918e1be10930816db383ce2a58a6947afea84e04040)
@asavie/i18n@99.0.0 is a dependency-confusion package targeting an unclaimed npm scope. Its package.json declares a `preinstall` hook that runs `node callback.js`, which on `npm install` reads `os.hostname()` and the output of `whoami` (callback.js L23, L28) and transmits them to the attacker-controlled out-of-band collector `d88r3mao12pqka8tg04gn4ychek66c3wj.oast.site` (an Interactsh subdomain) via both a DNS A-record lookup and an `https.get()` request with the data base64url-encoded into the subdomain (callback.js L21, L37, L46). Version `99.0.0` and the squat on the `@asavie` scope are the canonical dependency-confusion shape — any build that mistakenly resolves this scope from public npm leaks identifying host data to the publisher. The tarball additionally ships an unrelated ~123 MB `google-chrome-stable_current_amd64.deb` that is not referenced by any code path; it is not executed but represents either staging or registry abuse. Author claims of 'authorized research' are unverifiable by installers and do not change the installer-side outcome: unsolicited exfiltration of host identifiers on `npm install`.

## Source: ossf-package-analysis (c72462533b89e20b39c2336d38a51d34b95330c056845b95a3b390740cadc803)
The OpenSSF Package Analysis project identified '@asavie/i18n' @ 99.0.1 (npm) as malicious.

It is considered malicious because:

- The package communicates with a domain associated with malicious activity.

- The package executes one or more commands associated with malicious behavior.

Compromised versions (3)

  • 99.0.1
  • 99.0.3
  • 99.0.0

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.