npm · Malicious package advisory
Malware@klapp-otp/routes
MAL-2026-5416
Malicious code in @klapp-otp/routes (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (9246974efd1a626094dd3f2027df2e8f1468ce45ebcba42e5207a06c5c9e16ee) On `npm install`, this package auto-executes `index.js` via the `preinstall` lifecycle hook. The script collects `os.hostname()`, `os.userInfo()`, `__dirname`, `process.cwd()`, and the package name, then exfiltrates them through two channels: (1) a hex-encoded DNS A-record query to `<encoded>.d8jbmnsqcfu78dfs8vdg34ohqhirb4pbg.oast.live` (an interactsh out-of-band collector), and (2) an HTTP POST of the same JSON payload to `http://172.201.213.59:9090/c`. Both channels fire unconditionally on install, leaking installer identity to attacker-controlled infrastructure. The package metadata reinforces the dependency-confusion / namespace-squat shape: scope `@klapp-otp` with version `99.0.0` and the description string `security research`, paired with no legitimate functionality in the tarball.
Compromised versions (2)
- 99.0.1
- 99.0.0
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.