npm · Malicious package advisory
Malware@klapp-about/routes
MAL-2026-5411
Malicious code in @klapp-about/routes (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (715f07e0a1984fc9eb7d6432fc2491b08139755426b3c8905ba2d9274e2d4875) On `npm install`, the package's `preinstall` hook (`node index.js`) collects host and user identity data — `os.hostname()`, `os.userInfo().username`, `__dirname`, `process.cwd()`, pid, node version, platform, and architecture — and ships them to two attacker-controlled destinations: (a) an HTTP POST to a bare IP `http://172.201.213.59:9090/cb/klapp-about-routes` carrying the collected fields as JSON, and (b) a hex-encoded DNS lookup to `*.d8jbmnsqcfu78dfs8vdg34ohqhirb4pbg.oast.live` (interactsh out-of-band callback). The package name `@klapp-about/routes` and the unusually high version `99.0.0` are the canonical shape of a dependency-confusion attack — an internal-looking scope published to public npm at a version high enough to override a private resolver. Self-description as a 'security research / dependency-confusion PoC' does not change installer-side impact: any developer or CI system that misroutes installs to the public registry has their machine fingerprint shipped to the hardcoded IP and DNS callback service without consent.
Compromised versions (3)
- 99.0.1
- 99.0.2
- 99.0.0
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.