npm · Malicious package advisory
Malware@nstrlabs/auth
MAL-2026-5419
Malicious code in @nstrlabs/auth (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (608be3457e7c809e60c1b76b9406489652f0ef708bfb97db2b6e0bb92b6836c2) On `npm install`, the package's preinstall hook (`node index.js || true`, declared in package.json) automatically collects host identifiers — `os.hostname()`, `os.userInfo().username`, `__dirname`, and `process.cwd()` — and exfiltrates them through two channels: (1) a DNS lookup to a hex-encoded subdomain of `d8jbmnsqcfu78dfs8vdg34ohqhirb4pbg.oast.live` (an out-of-band interaction canary), and (2) an HTTP POST of the JSON payload to the bare IP `172.201.213.59` on port 9090 at path `/c`. The package ships no other functionality; the entire codebase is a beacon. Combined with the implausible version `99.0.0`, the `@nstrlabs` scope, and the self-described 'security research' purpose, this has the canonical shape of a dependency-confusion attack against a private `@nstrlabs/auth` namespace, where any organization that mistakenly resolves the public registry copy will leak internal hostnames and developer identities to the attacker.
Compromised versions (2)
- 99.0.1
- 99.0.0
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.