VYPR

npm · Malicious package advisory

Malware

cloudsmith-vsc

MAL-2026-4530

Malicious code in cloudsmith-vsc (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (2b49ad4432747f754181e7a8428aff5fd2613f9d86283f05a04c2dd1f9ac2f2f)
package.json declares a preinstall hook (`"preinstall": "node index.js"`) that runs automatically on `npm install`. index.js reads installer-side system identity and files — `os.hostname()`, `os.userInfo()`, homedir, DNS configuration, package metadata, `/etc/passwd`, and `/etc/hosts` — and POSTs them over HTTPS to a hardcoded Burp Collaborator subdomain (`6hoa7n94q5v6yig1hqokwg6f066zupie.oastify.com`). The package metadata is empty (no description, author, or license) and the name impersonates the Cloudsmith vendor brand, consistent with a dependency-confusion / typosquat recon-and-exfil payload. Any machine that installs this package transmits host fingerprinting and local account data to the attacker.

Compromised versions (1)

  • 2.1.2

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.