VYPR

npm · Malicious package advisory

Malware

@card-pci-data/store

MAL-2026-5407

Malicious code in @card-pci-data/store (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (9a82d7b7e7588c4b773e2948eb1707e62f2fcece2bec37a23eda5d5058eae871)
On `npm install`, the package's preinstall hook (`scripts.preinstall: node index.js || true`) runs index.js which collects host identity — `os.hostname()`, `os.userInfo().username`, `__dirname`, and `process.cwd()` — and exfiltrates it through two channels: (1) an HTTP POST to the hardcoded bare IP `172.201.213.59:9090/c`, and (2) a DNS resolution of a hex-encoded label appended to `*.d8jbmnsqcfu78dfs8vdg34ohqhirb4pbg.oast.live` (an interactsh-style out-of-band beacon). The package has no advertised functionality beyond this beacon; its description is `security research` and the scoped name `@card-pci-data/store` impersonates payment-card / PCI-related tooling, consistent with a dependency-confusion or namespace-abuse lure. This auto-executes on default install and produces clear attacker benefit (installer host fingerprint delivered to attacker-controlled infrastructure).

Compromised versions (2)

  • 99.0.1
  • 99.0.0

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.