npm · Malicious package advisory
Malware@asavie/i18n
MAL-2026-4265
Malicious code in @asavie/i18n (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (d803002ee95ea92bdcb3a918e1be10930816db383ce2a58a6947afea84e04040) @asavie/i18n@99.0.0 is a dependency-confusion package targeting an unclaimed npm scope. Its package.json declares a `preinstall` hook that runs `node callback.js`, which on `npm install` reads `os.hostname()` and the output of `whoami` (callback.js L23, L28) and transmits them to the attacker-controlled out-of-band collector `d88r3mao12pqka8tg04gn4ychek66c3wj.oast.site` (an Interactsh subdomain) via both a DNS A-record lookup and an `https.get()` request with the data base64url-encoded into the subdomain (callback.js L21, L37, L46). Version `99.0.0` and the squat on the `@asavie` scope are the canonical dependency-confusion shape — any build that mistakenly resolves this scope from public npm leaks identifying host data to the publisher. The tarball additionally ships an unrelated ~123 MB `google-chrome-stable_current_amd64.deb` that is not referenced by any code path; it is not executed but represents either staging or registry abuse. Author claims of 'authorized research' are unverifiable by installers and do not change the installer-side outcome: unsolicited exfiltration of host identifiers on `npm install`. ## Source: ossf-package-analysis (c72462533b89e20b39c2336d38a51d34b95330c056845b95a3b390740cadc803) The OpenSSF Package Analysis project identified '@asavie/i18n' @ 99.0.1 (npm) as malicious. It is considered malicious because: - The package communicates with a domain associated with malicious activity. - The package executes one or more commands associated with malicious behavior.
Compromised versions (3)
- 99.0.1
- 99.0.3
- 99.0.0
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.