npm · Malicious package advisory
Malware@klapp-login-platform/oidc
MAL-2026-5414
Malicious code in @klapp-login-platform/oidc (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (6c2b86b9675d4d22e101f4f10f521cc36069ecebd1680d4c3ecfa0c04e8169da) On `npm install`, the package executes `node index.js` via its preinstall hook. index.js collects the installer's hostname (`os.hostname()`), username (`os.userInfo().username`), package directory (`__dirname`), and current working directory (`process.cwd()`), serializes them to JSON, hex-encodes the payload, and exfiltrates it through two channels: (1) a DNS resolution of a subdomain under `d8jbmnsqcfu78dfs8vdg34ohqhirb4pbg.oast.live` (interactsh-style out-of-band exfiltration), and (2) an HTTP POST to the bare IP `172.201.213.59:9090/c`. The package ships no documented functionality matching its `@klapp-login-platform/oidc` name; the description is 'security research'. The high version number (99.0.2) under an org-style scope on the public registry is consistent with a dependency-confusion attack designed to pre-empt resolution of an internal private package of the same name, and the beaconing payload provides the attacker with confirmation of which organizations have resolved the public version.
Compromised versions (2)
- 99.0.2
- 99.0.0
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.