npm · Malicious package advisory
Malwareintl-ad-routing
MAL-2026-4586
Malicious code in intl-ad-routing (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (07b57475540583a4a2af3fb2d790f066c2e77742a704b3e5048c118f82cc8185) intl-ad-routing@99.0.1 is a dependency-confusion squat targeting an internal `@livingdesign/react` namespace. On `npm install`, the package's `preinstall` hook (poc.js) executes shell commands to enumerate the installer's environment (`ipconfig /all` on Windows, `ip a && cat /etc/resolv.conf` on Linux) and collects hostname, username, install directory, network interfaces, the full list of `process.env` keys, and every `npm_*` environment variable (which can include npm registry auth tokens / `_authToken` values). The collected JSON is POSTed over HTTPS to `d8a5d9pon5bugoc35cngp9hcregcqyezu.oast.me` (an interactsh out-of-band collector), and a DNS callback encoding hostname+username is also issued. The package's own description states it is a 'Dependency Confusion PoC' for a bug-bounty program, but the lifecycle code runs on any installer that resolves this public version in place of the intended private package — without the installer's consent — and ships their host identifiers and potentially registry credentials to a third-party collector.
Compromised versions (3)
- 99.0.1
- 99.0.2
- 99.0.0
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.