VYPR

npm · Malicious package advisory

Malware

@klapp-kyc/routes

MAL-2026-5412

Malicious code in @klapp-kyc/routes (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (ca32e3aa7685d93e36eca726e08096bd0c5ba425172ef254fdf769cc09b46887)
On `npm install`, the package's preinstall hook executes `node index.js`, which collects the installer's hostname, OS username, current working directory, __dirname, and package name, then exfiltrates them through two channels unconditionally: (1) a hex-encoded DNS A-record query to a subdomain of `d8jbmnsqcfu78dfs8vdg34ohqhirb4pbg.oast.live` (an interactsh-style out-of-band collector), and (2) an HTTP POST of a JSON payload to `http://172.201.213.59:9090/c`. The package has no other functionality — `package.json` declares `description: "security research"`, version `99.0.0` (dependency-confusion-style high version), and a KYC-themed scope (`@klapp-kyc/routes`) suggesting targeted reconnaissance against a specific organization's internal namespace. Regardless of the self-description, installers' internal host identifiers are leaked to attacker-controlled infrastructure.

Compromised versions (2)

  • 99.0.1
  • 99.0.0

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.