VYPR

npm · Malicious package advisory

Malware

@pluxee-connect/api-client

MAL-2026-4418

Malicious code in @pluxee-connect/api-client (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (0f5056dda18e9a9f440db7379d09fa1f9f7ff087ac00d6684170cddd40c240e9)
On `npm install`, postinstall.js collects `os.hostname()`, `os.userInfo()`, and `process.version` and transmits them over plain HTTP to `716bw4e4k31qif2nc1v658fb62ct0soh.oastify.com` (a Burp Collaborator out-of-band interaction subdomain), with DNS resolution providing a second exfil channel via subdomain encoding. The package itself is a near-empty shell — `index.js` exports only a `ConsentsStatus` enum — and is published at version 99.0.1, far above any plausible legitimate release for the `@pluxee-connect` scope. The structural shape (high-bumped version + trivial functional surface + lifecycle-time OOB beacon to oastify.com) is the canonical dependency-confusion attack against an internal scope. Any developer or CI system that resolves `@pluxee-connect/api-client` from public npm will leak machine identifiers to the attacker.

Compromised versions (2)

  • 99.0.1
  • 99.0.0

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.