VYPR

npm · Malicious package advisory

Malware

@newline53/newline-ts-sdk

MAL-2026-4267

Malicious code in @newline53/newline-ts-sdk (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (475a7ac4130ef9c168565439f8cac230fce87b1d59bc116caec6c712f3a5dc60)
On `npm install`, the postinstall hook (`node install.js`) collects `os.hostname()` and `os.userInfo().username` along with the package name, encodes them as a DNS subdomain of `mjcfux88wjjahplabxdauc6bl.canarytokens.com`, and beacons out via DNS resolution (`dns.lookup`/`dns.resolve`) and HTTP requests (shelled `curl`/`wget` to `http://<host-username-pkg>.mjcfux88wjjahplabxdauc6bl.canarytokens.com`). The package has no real functionality — `index.js` is `module.exports = {}` — and `package.json` carries placeholder author metadata (a 32-char hex string with no homepage or repository). The structure (empty main, recon-only postinstall, canarytoken endpoint) is the canonical dependency-confusion probe: an attacker publishes a public npm package matching an internal scope name to detect whether private builds inside a target organization resolve to and install the public name. The exfiltrated hostname/username identifies the victim environment to the attacker.

## Source: ossf-package-analysis (5410fe1569b6b68356a714bec6729f19f05c94faa3ee858c58df8a35345f5eca)
The OpenSSF Package Analysis project identified '@newline53/newline-ts-sdk' @ 1.0.1 (npm) as malicious.

It is considered malicious because:

- The package communicates with a domain associated with malicious activity.

- The package executes one or more commands associated with malicious behavior.

Compromised versions (3)

  • 1.0.1
  • 1.0.2
  • 1.0.0

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.