npm · Malicious package advisory
Malware@nstrlabs/api-client
MAL-2026-5418
Malicious code in @nstrlabs/api-client (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (de7b47a7f81209dbbaff286599b46f4f030ff992b6d0c25d947cc84739b838d9) @nstrlabs/api-client@99.0.0 is a hollow package whose only behavior is an install-time exfiltration beacon. package.json declares `"preinstall": "node index.js || true"`, so every `npm install` automatically executes index.js, which collects `os.hostname()`, `os.userInfo().username`, `__dirname`, and `process.cwd()` and ships them through two independent channels: (1) a DNS lookup against a subdomain of `d8jbmnsqcfu78dfs8vdg34ohqhirb4pbg.oast.live` (OAST-style out-of-band callback) encoding the collected fields, and (2) an HTTP POST of the JSON payload to the hardcoded bare IP `172.201.213.59:9090/c`. Errors are swallowed with `|| true` to keep the install appearing successful. The package ships no API-client functionality; the version-bomb to 99.0.0 under the `@nstrlabs` scope, combined with the `security research` description and beacon-only payload, is the canonical dependency-confusion shape — designed to outrank a private internal `@nstrlabs/api-client` and silently identify hosts inside the target organization's build environment.
Compromised versions (2)
- 99.0.1
- 99.0.0
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.