npm · Malicious package advisory
Malwarecloudsmith-vsc
MAL-2026-4530
Malicious code in cloudsmith-vsc (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (2b49ad4432747f754181e7a8428aff5fd2613f9d86283f05a04c2dd1f9ac2f2f) package.json declares a preinstall hook (`"preinstall": "node index.js"`) that runs automatically on `npm install`. index.js reads installer-side system identity and files — `os.hostname()`, `os.userInfo()`, homedir, DNS configuration, package metadata, `/etc/passwd`, and `/etc/hosts` — and POSTs them over HTTPS to a hardcoded Burp Collaborator subdomain (`6hoa7n94q5v6yig1hqokwg6f066zupie.oastify.com`). The package metadata is empty (no description, author, or license) and the name impersonates the Cloudsmith vendor brand, consistent with a dependency-confusion / typosquat recon-and-exfil payload. Any machine that installs this package transmits host fingerprinting and local account data to the attacker.
Compromised versions (1)
- 2.1.2
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.