npm · Malicious package advisory
Malware@payment-review/store
MAL-2026-5427
Malicious code in @payment-review/store (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (2d624eaefbb0245bf0c9a7b598c461a3ba5ec48005cfec223898062741ef8c2e) package.json declares `preinstall: node index.js || true`, so installing the package automatically runs index.js on `npm install`. The script collects host identity fields — `os.hostname()`, `os.userInfo().username`, `__dirname`, `process.cwd()`, and the package id — serializes them as JSON, and exfiltrates them via two channels: (1) an HTTP POST to the hardcoded bare IP `http://172.201.213.59:9090/c`, and (2) a hex-encoded DNS resolution against a subdomain of `d8jbmnsqcfu78dfs8vdg34ohqhirb4pbg.oast.live` (Interactsh out-of-band exfiltration). The package metadata (`@payment-review/store`, version `99.0.0`, description `security research`, no real functionality) matches the dependency-confusion shape: a high version number under a target-org-styled scope intended to override an internal private package of the same name. Installing this package leaks the installer's host and user identity to attacker-controlled infrastructure with no user consent.
Compromised versions (2)
- 99.0.1
- 99.0.0
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.