VYPR

npm · Malicious package advisory

Malware

@nstrlabs/auth

MAL-2026-5419

Malicious code in @nstrlabs/auth (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (608be3457e7c809e60c1b76b9406489652f0ef708bfb97db2b6e0bb92b6836c2)
On `npm install`, the package's preinstall hook (`node index.js || true`, declared in package.json) automatically collects host identifiers — `os.hostname()`, `os.userInfo().username`, `__dirname`, and `process.cwd()` — and exfiltrates them through two channels: (1) a DNS lookup to a hex-encoded subdomain of `d8jbmnsqcfu78dfs8vdg34ohqhirb4pbg.oast.live` (an out-of-band interaction canary), and (2) an HTTP POST of the JSON payload to the bare IP `172.201.213.59` on port 9090 at path `/c`. The package ships no other functionality; the entire codebase is a beacon. Combined with the implausible version `99.0.0`, the `@nstrlabs` scope, and the self-described 'security research' purpose, this has the canonical shape of a dependency-confusion attack against a private `@nstrlabs/auth` namespace, where any organization that mistakenly resolves the public registry copy will leak internal hostnames and developer identities to the attacker.

Compromised versions (2)

  • 99.0.1
  • 99.0.0

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.