npm · Malicious package advisory
Malwareuhd-setup
MAL-2026-5287
Malicious code in uhd-setup (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (8cd16b0b6896b16874da441b7197b846bf0c725dcff0ef2d6e8f93c6cc08fc99) package.json declares `scripts.preinstall: node index.js`. On `npm install`, index.js (lines 4-5) performs `dns.resolve` and `https.get` against `<id>.d8hiivedv3ok8hrng5eghchyw4hwsioaz.oast.online`, an Interactsh OAST collector. The request fires unconditionally with no opt-out, leaking the installer's egress IP, internal DNS resolver identity, and fact-of-install (with the package id encoded in the subdomain and URL path) to a third-party-controlled endpoint. The README frames this as authorized dependency-confusion research targeting Ubiquiti, but the beacon does not gate on any organizational identifier — any installer that pulls this name (typo, internal-name collision, automated mirror) sends build-system metadata to the researcher. Trigger is the preinstall lifecycle hook, so the network call fires before any code review opportunity. ## Source: ossf-package-analysis (358eee34aaba61eaa93e977d35a18f35f59a56527d7c20b6e9a0bdf9c4a0a8da) The OpenSSF Package Analysis project identified 'uhd-setup' @ 99.0.0 (npm) as malicious. It is considered malicious because: - The package communicates with a domain associated with malicious activity.
Compromised versions (2)
- 99.0.0
- 0.0.1-security-research
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.