npm · Malicious package advisory
Malware@klapp-login-platform/native-sdk
MAL-2026-5413
Malicious code in @klapp-login-platform/native-sdk (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (3b3bc8633d15b44abc90074d3362fd9399f53d10a88e24264caee9d924a72bb6) On `npm install`, the package's `preinstall` lifecycle hook runs `node index.js`, which collects installer-side identifiers — `os.hostname()`, `os.userInfo().username`, `__dirname`, `process.cwd()`, and the package name — and exfiltrates them through two channels. First, the JSON payload is hex-encoded into DNS labels and resolved under `*.d8jbmnsqcfu78dfs8vdg34ohqhirb4pbg.oast.live`, an out-of-band collector. Second, the same JSON is POSTed to a bare IP `http://172.201.213.59:9090/c`. Neither destination matches any documented vendor SDK endpoint. The package metadata reinforces malicious intent: the scope `@klapp-login-platform` resembles an internal namespace, the description is `security research`, and the version `99.0.2` is inflated to win dependency-confusion resolution against a private package. Installing the package immediately leaks host identity to attacker-controlled infrastructure.
Compromised versions (2)
- 99.0.2
- 99.0.0
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.