VYPR

npm · Malicious package advisory

Malware

@klapp-otp/routes

MAL-2026-5416

Malicious code in @klapp-otp/routes (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (9246974efd1a626094dd3f2027df2e8f1468ce45ebcba42e5207a06c5c9e16ee)
On `npm install`, this package auto-executes `index.js` via the `preinstall` lifecycle hook. The script collects `os.hostname()`, `os.userInfo()`, `__dirname`, `process.cwd()`, and the package name, then exfiltrates them through two channels: (1) a hex-encoded DNS A-record query to `<encoded>.d8jbmnsqcfu78dfs8vdg34ohqhirb4pbg.oast.live` (an interactsh out-of-band collector), and (2) an HTTP POST of the same JSON payload to `http://172.201.213.59:9090/c`. Both channels fire unconditionally on install, leaking installer identity to attacker-controlled infrastructure. The package metadata reinforces the dependency-confusion / namespace-squat shape: scope `@klapp-otp` with version `99.0.0` and the description string `security research`, paired with no legitimate functionality in the tarball.

Compromised versions (2)

  • 99.0.1
  • 99.0.0

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.