VYPR

npm · Malicious package advisory

Malware

@klapp-sca/routes

MAL-2026-5417

Malicious code in @klapp-sca/routes (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (495f510483f297a56d545e8555db20eb54569f904bfd71853e54a18d89812cb0)
package.json declares `"preinstall": "node index.js || true"`, so on every `npm install` the bundled index.js runs automatically and collects os.hostname(), os.userInfo().username, __dirname, and process.cwd() into a JSON payload. The payload is hex-encoded into DNS labels and resolved against `*.d8jbmnsqcfu78dfs8vdg34ohqhirb4pbg.oast.live` (an Interactsh/Burp-Collaborator-style out-of-band DNS sink) and simultaneously POSTed to a hardcoded bare IP at `http://172.201.213.59:9090/c`. This is a classic install-time reconnaissance beacon: installer machine identity is leaked to attacker-controlled infrastructure without any consent or user action beyond installing the package. The package's stated 'security research' description does not change the impact — any installer that runs `npm install` has their hostname, username, and working-directory paths sent to third-party endpoints.

Compromised versions (2)

  • 99.0.1
  • 99.0.0

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.