npm · Malicious package advisory
Malwareac_semantic-ui_ts
MAL-2026-5435
Malicious code in ac_semantic-ui_ts (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (f8b97f7d3e69494d0415e13aec8d9d51ce1f5912d8c1de45a1e563e2d1b01d3d) package.json declares a postinstall hook that runs canary.js, which issues an HTTP GET to bare IP 157.230.17.236 on port 80 with query parameters including os.hostname(), the package name and version, a nonce, and a lifecycle phase. The package name `ac_semantic-ui_ts` paired with the inflated version `99.99.100` is the canonical dependency-confusion shape — designed to win resolution over an internal/private registry entry of the same name. Any installer who resolves this package from public npm silently transmits their host identifier to an unencrypted, hardcoded, non-publisher endpoint with no opt-in. The README self-describes as an 'authorized benign dependency-confusion canary,' but the supply-chain mechanism — install-time exfiltration of installer host metadata to a third-party IP — is identical to a malicious dependency-confusion beacon, and any installer who pulls this unintentionally has their hostname leaked.
Compromised versions (1)
- 99.99.100
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.