npm · Malicious package advisory
Malwareosep-api-hub-service-client-v1
MAL-2026-4633
Malicious code in osep-api-hub-service-client-v1 (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (cd131719d20e013a4627e1ea402ffc26135d66a5d6dd35669b8a3a6fb85e5f76) package.json declares `"preinstall": "node index.js"`, causing index.js to run automatically on `npm install`. index.js collects host identifiers — `os.hostname()`, `os.userInfo()` (username/uid/gid/shell), `os.homedir()`, `process.platform`, `process.arch`, `process.cwd()` — and additionally shells out via `child_process` to `whoami` and `id`. The collected JSON is POSTed to the hardcoded URL `https://0pqbxi1hplohnif3fa7tyc1at1zsnobd.oastify.com/detox56`, a Burp Collaborator (oastify.com) subdomain controlled by whoever published the package. The package name mimics an internal-sounding scoped client and ships with empty author/description metadata, consistent with a dependency-confusion attack targeting a private package namespace. Any developer or CI system that installs this package immediately leaks host and user identity to the attacker's Collaborator endpoint.
Compromised versions (1)
- 10.9.1
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.