VYPR

npm · Malicious package advisory

Malware

ac_semantic-ui_ts

MAL-2026-5435

Malicious code in ac_semantic-ui_ts (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (f8b97f7d3e69494d0415e13aec8d9d51ce1f5912d8c1de45a1e563e2d1b01d3d)
package.json declares a postinstall hook that runs canary.js, which issues an HTTP GET to bare IP 157.230.17.236 on port 80 with query parameters including os.hostname(), the package name and version, a nonce, and a lifecycle phase. The package name `ac_semantic-ui_ts` paired with the inflated version `99.99.100` is the canonical dependency-confusion shape — designed to win resolution over an internal/private registry entry of the same name. Any installer who resolves this package from public npm silently transmits their host identifier to an unencrypted, hardcoded, non-publisher endpoint with no opt-in. The README self-describes as an 'authorized benign dependency-confusion canary,' but the supply-chain mechanism — install-time exfiltration of installer host metadata to a third-party IP — is identical to a malicious dependency-confusion beacon, and any installer who pulls this unintentionally has their hostname leaked.

Compromised versions (1)

  • 99.99.100

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.