VYPR

npm · Malicious package advisory

Malware

@bancolonbia/menu-filter-widget-web

MAL-2026-5344

Malicious code in @bancolonbia/menu-filter-widget-web (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (76511e7873dc4a76b8447f91807e48289877ee612cd0d94526206390bbda7f3e)
package.json declares `scripts.postinstall: node./callback.js`, which fires automatically on `npm install`. callback.js reads the installer's hostname and transmits it to a hardcoded Burp Collaborator domain (`3y294ed4dfq501wnmdvbakcnwe25qvek.oastify.com`) via two channels: an HTTPS GET to `/<token>/<encodeURIComponent(host)>` and a DNS lookup against a subdomain encoding the same token + hostname. The package self-describes as an "authorized security research PoC" but is published under the `@bancolonbia` scope (a likely typosquat of the Bancolombia corporate namespace), matching the classic dependency-confusion shape: a private-looking scoped name registered publicly so a misconfigured internal build resolves to this package and beacons victim identity to the researcher/attacker. Whether or not the operator is authorized by Bancolombia, any third party who installs this package has their hostname exfiltrated to an attacker-controlled Collaborator endpoint without consent.

## Source: ossf-package-analysis (fff12ed8f9f042d996b7c1167a9987b941eedcdedd7dbc2065579c4394e5b8b6)
The OpenSSF Package Analysis project identified '@bancolonbia/menu-filter-widget-web' @ 0.0.1 (npm) as malicious.

It is considered malicious because:

- The package communicates with a domain associated with malicious activity.

Compromised versions (1)

  • 0.0.1

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.