npm · Malicious package advisory
Malwareopenmct-couch-plugin
MAL-2026-4629
Malicious code in openmct-couch-plugin (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (ce8eff366d17efa64bf8605941d009d01cf7a24aaf011af30faec449fc4a2e28) On `npm install`, the package's `preinstall` script runs `node index.js` and then `curl`s the output of `hostname && whoami` to `http://8irluql1d21jmq8tr5n5fyoxjopfdd12.oastify.com/nasa/couchrestore/` over plain HTTP. The bundled `index.js` additionally reads `/etc/passwd`, captures `whoami`/`id`, `os.hostname()`, `os.platform()`, `os.userInfo().username`, the current working directory, and the first 30 entries of `process.env`, then HTTPS-POSTs the JSON payload to a second hardcoded Burp Collaborator host (`3nrgzlqwix6erldow0s0kttsojuai36s.oastify.com`). Both endpoints are oastify.com out-of-band-application-security-testing infrastructure used for blind data exfiltration. The package name impersonates NASA's openmct ecosystem (the exfil path `/nasa/couchrestore/` reinforces the lure), the package description falsely claims to be an AWS CDK SageMaker workflow, and the README contains the string 'Takeover By l0bo'. Installer harm is unconditional and fires before any user code runs.
Compromised versions (3)
- 1.0.0
- 1.0.2
- 1.0.1
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.