VYPR

npm · Malicious package advisory

Malware

@nstrlabs/shared-components

MAL-2026-5422

Malicious code in @nstrlabs/shared-components (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (efc72373a5a06d31becb2dd02ced949866c9da14ae6d0bfdb3b4f4c882e40445)
On `npm install`, the package's preinstall script runs index.js, which collects host identifiers (os.hostname(), os.userInfo().username, __dirname, process.cwd(), package name) and ships them to two attacker-controlled destinations: (1) a hex-encoded DNS subdomain query against `*.d8jbmnsqcfu78dfs8vdg34ohqhirb4pbg.oast.live` (Interactsh-style out-of-band exfiltration), and (2) an HTTP POST of the same JSON payload to bare IP `http://172.201.213.59:9090/c`. The package is published under `@nstrlabs/shared-components` at version `99.0.0` with description `security research` — a high semver against a generic scoped name consistent with a dependency-confusion attack targeting an internal `nstrlabs` namespace. There is no legitimate library functionality; the preinstall beacon is the package's only effect.

Compromised versions (2)

  • 99.0.1
  • 99.0.0

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.