npm · Malicious package advisory
Malware@bancolonbia/menu-filter-widget-web
MAL-2026-5344
Malicious code in @bancolonbia/menu-filter-widget-web (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (76511e7873dc4a76b8447f91807e48289877ee612cd0d94526206390bbda7f3e) package.json declares `scripts.postinstall: node./callback.js`, which fires automatically on `npm install`. callback.js reads the installer's hostname and transmits it to a hardcoded Burp Collaborator domain (`3y294ed4dfq501wnmdvbakcnwe25qvek.oastify.com`) via two channels: an HTTPS GET to `/<token>/<encodeURIComponent(host)>` and a DNS lookup against a subdomain encoding the same token + hostname. The package self-describes as an "authorized security research PoC" but is published under the `@bancolonbia` scope (a likely typosquat of the Bancolombia corporate namespace), matching the classic dependency-confusion shape: a private-looking scoped name registered publicly so a misconfigured internal build resolves to this package and beacons victim identity to the researcher/attacker. Whether or not the operator is authorized by Bancolombia, any third party who installs this package has their hostname exfiltrated to an attacker-controlled Collaborator endpoint without consent. ## Source: ossf-package-analysis (fff12ed8f9f042d996b7c1167a9987b941eedcdedd7dbc2065579c4394e5b8b6) The OpenSSF Package Analysis project identified '@bancolonbia/menu-filter-widget-web' @ 0.0.1 (npm) as malicious. It is considered malicious because: - The package communicates with a domain associated with malicious activity.
Compromised versions (1)
- 0.0.1
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.