npm · Malicious package advisory
Malwaret-invest-mcp-server
MAL-2026-5403
Malicious code in t-invest-mcp-server (npm)
Details
---
_-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (46c186ac158f68845fc995a94d15d44c2b65a521d2619d2850232e58f4a61419)
Package is a dependency-confusion squat: package.json sets version 9999.99.99 (the canonical max-version trick used to win resolution against any internal/private package of the same name), the description self-identifies as a 404 placeholder, and index.js does `module.exports = require('t-invest-mcp-server')` (a recursive self-reference that provides no functionality). The package exists solely to fire its postinstall hook. postinstall.js collects package name/version, Node version, OS, CI flag, GITHUB_REPOSITORY, GITHUB_REPOSITORY_OWNER, GITHUB_WORKFLOW, and a timestamp, then POSTs them as JSON to https://ddactic-lab.online/sc/beacon at npm install time. A DNS-lookup fallback encodes the same data into a subdomain of b.ddactic-lab.online to exfiltrate through HTTP-blocking egress proxies. This is dependency-confusion reconnaissance: it fingerprints victim organizations and repositories whose builds mistakenly resolve the private name to the public registry, providing the attacker with a target list for follow-on attacks.
Compromised versions (1)
- 9999.99.99
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.