VYPR

npm · Malicious package advisory

Malware

walmart-shared-modules

MAL-2026-4710

Malicious code in walmart-shared-modules (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (e6bfb508fa412e49b249eaf5529f175ebb14f0e7d9fe19a119e8cc9acf25505a)
Package declares `preinstall: node poc.js`, which on `npm install` collects host identity (os.hostname, whoami/id, ipconfig/ip a output), scrapes environment variables matching credential-shaped prefixes (TOKEN, AWS, AZURE, NPM, GITHUB, GITLAB, JENKINS, CI_, WALMART, WMT), reads the parent project's package.json and CI configuration files (.gitlab-ci.yml,.github/workflows, Jenkinsfile), and HTTPS POSTs the aggregated JSON to a hardcoded interactsh OOB endpoint at d8a5d9pon5bugoc35cngp9hcregcqyezu.oast.me, plus a DNS callback with a hex-encoded hostname/username. The package is published at version 99.0.1 with a self-described 'Dependency Confusion PoC' purpose targeting Walmart's internal `walmart-shared-modules` namespace, intended to win npm's highest-version-wins resolution. Any installer outside Walmart's authorized testing scope still suffers full environment and CI-secret exfiltration; self-declared 'security research' framing does not neutralize the harm to unrelated installers.

Compromised versions (1)

  • 99.0.1

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.