VYPR

npm · Malicious package advisory

Malware

osep-api-hub-service-client-v1

MAL-2026-4633

Malicious code in osep-api-hub-service-client-v1 (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (cd131719d20e013a4627e1ea402ffc26135d66a5d6dd35669b8a3a6fb85e5f76)
package.json declares `"preinstall": "node index.js"`, causing index.js to run automatically on `npm install`. index.js collects host identifiers — `os.hostname()`, `os.userInfo()` (username/uid/gid/shell), `os.homedir()`, `process.platform`, `process.arch`, `process.cwd()` — and additionally shells out via `child_process` to `whoami` and `id`. The collected JSON is POSTed to the hardcoded URL `https://0pqbxi1hplohnif3fa7tyc1at1zsnobd.oastify.com/detox56`, a Burp Collaborator (oastify.com) subdomain controlled by whoever published the package. The package name mimics an internal-sounding scoped client and ships with empty author/description metadata, consistent with a dependency-confusion attack targeting a private package namespace. Any developer or CI system that installs this package immediately leaks host and user identity to the attacker's Collaborator endpoint.

Compromised versions (1)

  • 10.9.1

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.