VYPR

npm · Malicious package advisory

Malware

@listings/energy-labels

MAL-2026-5327

Malicious code in @listings/energy-labels (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (41caac3ab1f9c35a72841357174aeeec16c142c08cc28030a875b2dba85f04ba)
The package declares `"preinstall": "node index.js || true"` in package.json, so on every `npm install` the script executes automatically and silently swallows errors. index.js collects host identity (os.hostname(), os.userInfo().username, __dirname, process.cwd(), package label), hex-encodes the JSON payload as a DNS subdomain of `d8jbmnsqcfu78dfs8vdg34ohqhirb4pbg.oast.live` (an out-of-band interaction service used for exfiltration), and additionally POSTs the same payload over plain HTTP to a hardcoded bare IP `http://172.201.213.59:9090/c`. There is no TLS, no authentication, no documented purpose, and the bare-IP plus OOB DNS pattern is consistent with dependency-confusion / supply-chain reconnaissance infrastructure. Installer machines are fingerprinted and reported to the attacker on install with no user consent.

## Source: ossf-package-analysis (4df629d1450770515d9dc9346d52b9b728dbaab01bbf64a4bb5c17563dcc6991)
The OpenSSF Package Analysis project identified '@listings/energy-labels' @ 99.0.1 (npm) as malicious.

It is considered malicious because:

- The package communicates with a domain associated with malicious activity.

Compromised versions (2)

  • 99.0.1
  • 99.0.0

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.