npm · Malicious package advisory
Malwareunifi-portal
MAL-2026-5289
Malicious code in unifi-portal (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (f4c0cbc81f0d9b1df2dae7252888e87e046c36d049f2792dc7fc49d72ec1d9c6) Package is a self-described dependency-confusion proof-of-concept published unscoped on the public npm registry under a name presumed to match a private internal package. package.json declares `preinstall: node index.js || true`, and index.js performs a DNS resolution and HTTPS GET to a unique subdomain of `oast.me` (an Interactsh out-of-band collector controlled by a third party) at install time. Any installer whose tooling resolves this name — including unrelated developers and CI systems — leaks public IP, DNS resolver identity, hostname-derived callback id, and install timing to the OAST endpoint without consent. The unscoped public name targeting an internal package namespace is the namespace-confusion lure, and the preinstall beacon is the exfiltration payload. Stated 'authorized research' framing does not limit the blast radius: any third party who resolves this name is impacted. ## Source: ossf-package-analysis (8ff224f10cd94268bd5347ea6898f0cb1c54d23b19a6eb02d8efa268a16e15e8) The OpenSSF Package Analysis project identified 'unifi-portal' @ 99.0.0 (npm) as malicious. It is considered malicious because: - The package communicates with a domain associated with malicious activity.
Compromised versions (3)
- 99.0.0
- 0.0.1-security-research
- 0.0.2-security-research
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.