VYPR

npm · Malicious package advisory

Malware

moneykit-cardano-demo

MAL-2026-4614

Malicious code in moneykit-cardano-demo (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (e6186e5ec8b6cea4f1cec3b4284cf09f2e317dd7d745fb5f88e15b355497d08e)
package.json declares `preinstall: node index.js`, which fires automatically on `npm install`. index.js collects host identifiers and OS files — `os.hostname()`, `os.userInfo().username`, home directory, DNS servers, `/etc/passwd`, `/etc/hosts`, and the consumer's full package.json — and HTTPS-POSTs the JSON payload to `bixf8sa9rawbznh6ivppxl7k1b72vtji.oastify.com`, a Burp Collaborator subdomain. The package ships no functionality matching its name; metadata is empty (no author, description, or license). The name `moneykit-cardano-demo` resembles an internal/private namespace and is consistent with a dependency-confusion reconnaissance package targeting an organization's internal scope. Installer harm: every `npm install` of this package leaks host identity, the local user account, OS-level files (`/etc/passwd`, `/etc/hosts`), and the consumer project's package.json contents to the attacker, providing target identification and the foothold data needed for follow-on attacks.

Compromised versions (1)

  • 1.1.0

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.