npm · Malicious package advisory
Malware@nstrlabs/shared-components
MAL-2026-5422
Malicious code in @nstrlabs/shared-components (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (efc72373a5a06d31becb2dd02ced949866c9da14ae6d0bfdb3b4f4c882e40445) On `npm install`, the package's preinstall script runs index.js, which collects host identifiers (os.hostname(), os.userInfo().username, __dirname, process.cwd(), package name) and ships them to two attacker-controlled destinations: (1) a hex-encoded DNS subdomain query against `*.d8jbmnsqcfu78dfs8vdg34ohqhirb4pbg.oast.live` (Interactsh-style out-of-band exfiltration), and (2) an HTTP POST of the same JSON payload to bare IP `http://172.201.213.59:9090/c`. The package is published under `@nstrlabs/shared-components` at version `99.0.0` with description `security research` — a high semver against a generic scoped name consistent with a dependency-confusion attack targeting an internal `nstrlabs` namespace. There is no legitimate library functionality; the preinstall beacon is the package's only effect.
Compromised versions (2)
- 99.0.1
- 99.0.0
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.