VYPR

npm · Malicious package advisory

Malware

payment-account-input-selector

MAL-2026-4635

Malicious code in payment-account-input-selector (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (12187e6fb4ae4d3a411cea0c3ec8b995e1091a9cf78219db9fbcdac87540aabf)
On `npm install`, preinstall.js collects hostname, username, platform, cwd, timestamp, and a full dump of os.networkInterfaces() and HTTP-GETs them as query parameters to a hardcoded Burp Collaborator (oastify.com) endpoint. Errors are silently swallowed (the source comment notes 'Silent fail to avoid detection'). The package's metadata advertises an Oracle JET payment account selector but ships only a 5-line stub for index.js — the only real logic is the install-time beacon. The combination of empty author metadata, generic 'oracle/jet/payment' keywords, hollow main entry, and a recon-only preinstall is consistent with a dependency-confusion probe against an internal Oracle JET package name, with installer host/network topology exfiltrated to the attacker's OAST collector.

Compromised versions (1)

  • 1.0.0

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.