VYPR

npm · Malicious package advisory

Malware

@nstrlabs/utils

MAL-2026-5423

Malicious code in @nstrlabs/utils (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (36d8d7c327560bb7a4c08d906db240a2dc146e20f828d9dfc5ab79497b155355)
On `npm install`, the package's `preinstall` script (`node index.js || true`) executes automatically and collects host identifiers from the installer's machine — `os.hostname()`, `os.userInfo().username`, `__dirname`, and `process.cwd()` — then exfiltrates them through two channels. First, the JSON payload is POSTed to a hardcoded bare IP `http://172.201.213.59:9090/c`. Second, the data is hex-encoded into a subdomain and resolved via DNS against `*.d8jbmnsqcfu78dfs8vdg34ohqhirb4pbg.oast.live`, an Interactsh out-of-band beacon. The `|| true` suffix swallows any error so the install always succeeds silently. Although the package metadata describes itself as 'security research', every installer is harmed: host reconnaissance fires unconditionally on install with no opt-out and no disclosure.

Compromised versions (2)

  • 99.0.1
  • 99.0.0

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.