VYPR

npm · Malicious package advisory

Malware

unifi-portal

MAL-2026-5289

Malicious code in unifi-portal (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (f4c0cbc81f0d9b1df2dae7252888e87e046c36d049f2792dc7fc49d72ec1d9c6)
Package is a self-described dependency-confusion proof-of-concept published unscoped on the public npm registry under a name presumed to match a private internal package. package.json declares `preinstall: node index.js || true`, and index.js performs a DNS resolution and HTTPS GET to a unique subdomain of `oast.me` (an Interactsh out-of-band collector controlled by a third party) at install time. Any installer whose tooling resolves this name — including unrelated developers and CI systems — leaks public IP, DNS resolver identity, hostname-derived callback id, and install timing to the OAST endpoint without consent. The unscoped public name targeting an internal package namespace is the namespace-confusion lure, and the preinstall beacon is the exfiltration payload. Stated 'authorized research' framing does not limit the blast radius: any third party who resolves this name is impacted.

## Source: ossf-package-analysis (8ff224f10cd94268bd5347ea6898f0cb1c54d23b19a6eb02d8efa268a16e15e8)
The OpenSSF Package Analysis project identified 'unifi-portal' @ 99.0.0 (npm) as malicious.

It is considered malicious because:

- The package communicates with a domain associated with malicious activity.

Compromised versions (3)

  • 99.0.0
  • 0.0.1-security-research
  • 0.0.2-security-research

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.