VYPR

npm · Malicious package advisory

Malware

encrypted-archive

MAL-2026-5286

Malicious code in encrypted-archive (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (c60d89261c09dc6eaea0a3af26af55519421cb927a1b8183009d09b2d4e99b94)
On `npm install`, the package executes a preinstall hook (`package.json` `"preinstall": "node index.js || true"`) that runs `index.js`, which performs a DNS resolution and HTTPS GET to a hardcoded interactsh/oast.me subdomain (`d8hjn6ap4rnta9vj5ve0jk11seb4k3kci.oast.me`). Each install leaks the resolver IP, public egress IP, hostname-derived identifier, and install timestamp to a third-party out-of-band interaction server. The package's own metadata states it is a dependency-confusion proof-of-concept squatting an internal Ubiquiti namespace; any build system that resolves this name from the public registry instead of the intended private registry will silently run the beacon. Regardless of the author's stated research intent, the install-time network I/O to an attacker-controlled OOB host is the canonical dependency-confusion exploitation primitive and exfiltrates installer-side network/identity data.

## Source: ossf-package-analysis (13428a6cdcd4736d3f044dd6a580724699318155a1c1e283b586b9a4c3ab6295)
The OpenSSF Package Analysis project identified 'encrypted-archive' @ 99.0.0 (npm) as malicious.

It is considered malicious because:

- The package communicates with a domain associated with malicious activity.

Compromised versions (2)

  • 99.0.0
  • 0.0.2-security-research

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.