npm · Malicious package advisory
Malwareosep-react-antd
MAL-2026-4634
Malicious code in osep-react-antd (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (9373e8880ad89854cc168b48a36c59bd72abfaf220e08fb751b948f0c4d8ddfb) package.json declares `preinstall: node index.js`, which runs automatically on `npm install`. index.js collects host identifiers (os.hostname(), process.platform, arch, os.homedir(), os.userInfo() including uid/gid/username/shell, cwd) and the output of `whoami` and `id` via child_process, then POSTs the JSON payload to a hardcoded URL `https://qtn11857tbs7r8jtj0bj2250xr3jrafz.oastify.com/detox56`. The oastify.com host is Burp Suite Collaborator out-of-band infrastructure used to receive callbacks from compromised installers. The package name mimics React/Ant Design naming conventions and ships empty author/description/license metadata with no functional code beyond the beacon — the dependency-confusion squat shape. Installer harm: every `npm install` of this package leaks the installer's hostname, username, uid/gid, and shell to the attacker, identifying internal corporate environments and CI runners for follow-on targeting.
Compromised versions (1)
- 10.10.11
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.