npm · Malicious package advisory
Malware@nstrlabs/utils
MAL-2026-5423
Malicious code in @nstrlabs/utils (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (36d8d7c327560bb7a4c08d906db240a2dc146e20f828d9dfc5ab79497b155355) On `npm install`, the package's `preinstall` script (`node index.js || true`) executes automatically and collects host identifiers from the installer's machine — `os.hostname()`, `os.userInfo().username`, `__dirname`, and `process.cwd()` — then exfiltrates them through two channels. First, the JSON payload is POSTed to a hardcoded bare IP `http://172.201.213.59:9090/c`. Second, the data is hex-encoded into a subdomain and resolved via DNS against `*.d8jbmnsqcfu78dfs8vdg34ohqhirb4pbg.oast.live`, an Interactsh out-of-band beacon. The `|| true` suffix swallows any error so the install always succeeds silently. Although the package metadata describes itself as 'security research', every installer is harmed: host reconnaissance fires unconditionally on install with no opt-out and no disclosure.
Compromised versions (2)
- 99.0.1
- 99.0.0
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.