npm · Malicious package advisory
Malwareclickpy
MAL-2026-4270
Malicious code in clickpy (npm)
Details
---
_-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (dd3b0787797fa520a5583fd5f14b83ec1b4606c0c45051e30ef312869c148f01)
On `require('clickpy')`, index.js collects host metadata via `os.hostname()`, `os.userInfo()`, `os.platform()`, `os.arch()`, `process.cwd()`, `process.pid`, and the current time, then issues an HTTPS GET to the hardcoded out-of-band host `fxpkkxatijbbyxuhdclqssj033zarohm1.oast.fun` with these values as query-string parameters (index.js:4 and index.js:25-29). oast.fun is the interactsh/OAST collaborator service used to receive callbacks from victim hosts; there is no legitimate purpose for a published library to beacon installer identifiers to such a host on import. Package metadata is empty (no description, no author), consistent with a throwaway recon/PoC exfiltration package.
## Source: ossf-package-analysis (4eabe2c137602d61ffca6cc787c74601220c1e92f9b77300775a94327b784600)
The OpenSSF Package Analysis project identified 'clickpy' @ 1.0.1 (npm) as malicious.
It is considered malicious because:
- The package communicates with a domain associated with malicious activity.
Compromised versions (2)
- 1.0.1
- 1.0.0
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.