npm · Malicious package advisory
Malwareconsumerweb-authflow
MAL-2026-5297
Malicious code in consumerweb-authflow (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (acbd81f78a40f87b410799545f06c929bc7e7c3f552eeea06254416b3b9e0977) On `npm install`, the package's postinstall.js collects host identifiers via `os.hostname()`, `os.userInfo().username`, `os.platform()`, and the current working directory, then POSTs them over HTTPS to `kd1tbfhej84bcqde44rq77o79yfp3gr5.oastify.com` (a Burp Collaborator out-of-band callback subdomain). The package's own metadata self-identifies as a dependency-confusion proof-of-concept (`description: "Dependency confusion PoC - H1-lingtys"`, payload tag `src: 'paypal-dep-confusion-poc'`), and the package name is chosen to collide with an internal/private package name so that misconfigured resolvers pull this public version instead. Regardless of bug-bounty intent, every installer's machine identity is leaked to an external attacker-controlled OAST endpoint without consent, automatically, on a default install. ## Source: ossf-package-analysis (0a4795bc3b2c513417e92b1547d165f9b6cbb750f437b5bf3ac87e63832087ca) The OpenSSF Package Analysis project identified 'consumerweb-authflow' @ 4.1.1 (npm) as malicious. It is considered malicious because: - The package communicates with a domain associated with malicious activity.
Compromised versions (2)
- 4.1.1
- 4.1.3
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.