npm · Malicious package advisory
Malwareonboardconnect-agent
MAL-2026-4627
Malicious code in onboardconnect-agent (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (9c17efe362ab4daf81f1ee7efe462a256ba325562a255906102d10d4a9ee87e5) The package's dist/setup.js script performs an HTTPS POST to https://oc-worker-tenant-api.wpolanco.workers.dev carrying values read from process.env, with additional fetch/POST sites further down the same file. dist/server.js contains multiple POST sinks and a ping invocation, while dist/crypto.js and dist/store.js wrap repeated Buffer.from(..., 'base64') decoding routines consistent with obfuscated payload handling. The destination is a personal *.workers.dev subdomain (wpolanco.workers.dev) that is not associated with any documented vendor publisher and is the canonical low-effort exfiltration host shape — anonymous, free, attacker-controlled, and trivially registered. No legitimate purpose for an 'onboard connect agent' to ship environment variables to a personal Cloudflare Worker exists; combined with the base64-decoding helpers in adjacent files this matches the data-exfiltration shape directly.
Compromised versions (9)
- 1.1.24
- 1.1.31
- 1.1.22
- 1.1.15
- 1.1.16
- 1.1.21
- 1.1.5
- 1.1.32
- 1.1.25
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.