VYPR

npm · Malicious package advisory

Malware

multica

MAL-2026-5400

Malicious code in multica (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (d7d3e4277fb571072315c7f64c269029cd53c78b3ff27ec5536d748c659fd6a2)
Package is published at version 9999.99.99 with a description referencing an npm 404 in multica-ai/multica and a main module that recursively requires `multica` itself — the canonical shape of a dependency-confusion probe designed to win resolution against an internal package of the same name. On `npm install`, postinstall.js unconditionally POSTs a JSON payload containing the package name/version, Node version, OS platform, timestamp, detected CI vendor (selected from a list of 12 CI environment variables), and — when set — GITHUB_REPOSITORY, GITHUB_REPOSITORY_OWNER, and GITHUB_WORKFLOW to https://ddactic-lab.online/sc/beacon. A DNS fallback channel encodes a package slug, CI slug, and hash into a subdomain of b.ddactic-lab.online to bypass HTTP-blocking egress proxies. Installer harm: silent disclosure of internal package names, CI vendor, and GitHub org/repo/workflow identifiers to an attacker-controlled endpoint at install time, mapping which organizations resolve internal names to this public tarball.

Compromised versions (1)

  • 9999.99.99

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.