npm · Malicious package advisory
Malware@nstrlabs/ixel
MAL-2026-5420
Malicious code in @nstrlabs/ixel (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (64b10f7a8ca25ac33a6d1e94038d1dbfd68d113d9ab7d7a428d97417b3409c7d) On `npm install`, the package runs `node index.js` via a `preinstall` lifecycle hook (declared as `"preinstall": "node index.js || true"` so failures are silenced). index.js collects `os.hostname()`, `os.userInfo().username`, `__dirname`, and `process.cwd()` and exfiltrates them two ways: (1) a hex-encoded subdomain DNS query against `*.d8jbmnsqcfu78dfs8vdg34ohqhirb4pbg.oast.live` (interactsh-style out-of-band beacon), and (2) an HTTP POST of a JSON blob to the hardcoded bare IP `http://172.201.213.59:9090/c`. Errors are swallowed via `|| true`, try/catch, and a no-op HTTP error handler so the install appears to succeed. The package is published under the `@nstrlabs` scope at version 99.0.0 with description 'security research' — the canonical dependency-confusion recon shape, where a high version is published to a public registry to override an internal-scope package and beacon any host that resolves it. The package has no legitimate functionality; its only effect on install is the host-metadata beacon.
Compromised versions (2)
- 99.0.1
- 99.0.0
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.