VYPR

npm · Malicious package advisory

Malware

morningstar-design-system

MAL-2026-5449

Malicious code in morningstar-design-system (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (18591ac1a5cb5ca3d11e07bde38f230dccc530bb4614d45f9be1f547677a2c9e)
On `npm install`, the package's `preinstall` lifecycle script runs `wget` against a hardcoded bare-IP HTTP endpoint, passing the output of `id`, `pwd`, `hostname`, and `ip a` as URL query parameters. This leaks the installing user's username/UID/GID, working directory, hostname, and full network interface configuration to an attacker-controlled host automatically, before any other code runs. The package name targets Morningstar's organizational namespace and is published at an absurd `99.0.1` version — the canonical dependency-confusion shape designed to override an internal package of the same name. README self-identifies as a dependency-confusion PoC. Whether labeled research or not, the published artifact actively exfiltrates installer data to a third-party IP and is unsafe to install in any environment.

Compromised versions (3)

  • 99.0.1
  • 99.0.2
  • 99.0.0

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.