VYPR

npm · Malicious package advisory

Malware

cosmosdb-server

MAL-2026-4537

Malicious code in cosmosdb-server (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (925077d4c86616920b1ad20f2342df7473d9504764582235049e78eed9189a76)
Package squats the unscoped name `cosmosdb-server`, targeting users who mistype `npx cosmosdb-server` instead of the scoped `@vercel/cosmosdb-server`. The package.json declares `bin: {"cosmosdb-server": "./index.js"}` and self-describes as a 'bin-mismatch PoC' for the Vercel package. When invoked (via `npx`, `bin` execution, or `require()`), index.js collects `os.hostname()`, `process.cwd()`, `process.platform`, `process.arch`, and a timestamp and POSTs them to a hardcoded endpoint at `https://callback-monitor.cyb3rsh4ykh.workers.dev/c`, controlled by the package author. The 'security research / responsible disclosure' framing in the description does not constitute installer consent — the package is published live on the public registry under a name designed to capture mistyped invocations, and victims have no opportunity to opt out before their host identity and working-directory path are exfiltrated. Combination of (a) ≤2-edit name confusion against a scoped Vercel package, (b) hardcoded attacker-controlled exfil endpoint, and (c) immediate-on-execution data collection meets the typosquat-with-installer-harm threshold.

Compromised versions (2)

  • 0.0.1
  • 0.0.2

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.