npm · Malicious package advisory
Malware@nstrlabs/sdk
MAL-2026-5421
Malicious code in @nstrlabs/sdk (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (a0b1375de7b44594cd3760efb91cb94c8c8b7137322f4597114e314ce5e14e45) On `npm install`, package.json runs `preinstall: node index.js || true`, unconditionally executing index.js. The script collects host identity fields (os.hostname(), os.userInfo().username, __dirname, process.cwd(), and the package id), hex-encodes them as DNS labels, and resolves them as a subdomain of an interactsh OOB callback host (`*.d8jbmnsqcfu78dfs8vdg34ohqhirb4pbg.oast.live`), then also POSTs the same JSON payload to a bare IP HTTP endpoint at `http://172.201.213.59:9090/c`. Two independent exfiltration channels (DNS + HTTP) fire on every install, with `|| true` swallowing errors so the exfil is silent. The package is a typosquat / dependency-confusion lure: version `99.0.1` is an unusually high pseudo-version, scope `@nstrlabs` and metadata (`description: security research`, author `jeroengui`) are placeholder-shaped, and the package has no other functionality — its sole effect on install is the recon beacon.
Compromised versions (2)
- 99.0.1
- 99.0.0
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.