npm · Malicious package advisory
Malware@klapp-login-platform/routes
MAL-2026-5415
Malicious code in @klapp-login-platform/routes (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (ffe05a6af27bd4b583c0284a40129eb63f4dcb4a6197e74195a8bb85bf71d1e7) On `npm install`, the package's `preinstall` lifecycle hook executes `index.js`, which collects the installer's hostname, username, package install path (`__dirname`), current working directory, and package name, serializes them to JSON, hex-encodes the result, and exfiltrates the data through two channels: DNS lookups against subdomains of `d8jbmnsqcfu78dfs8vdg34ohqhirb4pbg.oast.live` (an Interactsh out-of-band callback host) and an HTTP POST to the bare IP endpoint `http://172.201.213.59:9090/c`. The package ships almost no functional code; its purpose is the beacon. The scope `@klapp-login-platform` paired with an inflated `99.0.2` version and a generic `routes` name fits the canonical dependency-confusion pattern of publishing a high-version public package to shadow an internal private package of the same name, causing affected build environments to resolve and install this attacker-controlled release.
Compromised versions (2)
- 99.0.2
- 99.0.0
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.