VYPR

npm · Malicious package advisory

Malware

search-connector-template

MAL-2026-4664

Malicious code in search-connector-template (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (24aea8e5a7338c49dc96e3945ed4d695024c2e169f560e6f3426005ca4666ea4)
package.json declares `preinstall: node index.js`, which fires automatically on `npm install`. index.js collects host identity (hostname, username, homedir, DNS servers) and reads installer-owned system files (/etc/passwd, /etc/hosts), then POSTs the JSON payload over HTTPS to a Burp Collaborator OAST subdomain (`615arnt4a5f6ii011q8kggqfk6q1er2g.oastify.com`). This is a classic install-time exfiltration beacon: the destination is attacker-controlled, the data leaving the host belongs to the installer rather than the package author, and execution requires no user action beyond running `npm install`.

Compromised versions (1)

  • 1.1.0

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.