npm · Malicious package advisory
Malwarepg-expense-example
MAL-2026-4639
Malicious code in pg-expense-example (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (d1d939ad3f0e8e9754bf3562f06692713a76d5c0f18ac13c956f9cb199ed0fbf) On require/load, index.js unconditionally collects host identifiers (hostname, username, platform, arch, cwd, pid) and sends them as URL query parameters via HTTPS GET to a hardcoded Burp Collaborator-style domain `vwfmeddcdgidvdwpkigkg0l8us5vf3wtx.oast.fun`. The package ships no advertised functionality — its only behavior on load is the beacon. package.json has empty author/description fields and declares an unused `chalk` dependency. A code comment in Azerbaijani (`sənin domenin` = 'your domain') is consistent with an attacker-controlled callback host, indicating PoC/reconnaissance malware rather than legitimate software.
Compromised versions (1)
- 1.0.0
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.