VYPR

npm · Malicious package advisory

Malware

@dktunited/anly-tracker-v2

MAL-2026-5459

Malicious code in @dktunited/anly-tracker-v2 (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (8a8893b914c3ba3139a3c8cede191521742237aa7c1c5d64f7ee45dbc5f636a6)
scripts/postinstall.js runs unconditionally during `npm install` and exfiltrates installer-side identifiers to an attacker-controlled out-of-band collector. The script fetches the installer's public IP from api.ipify.org, then collects `os.userInfo().username`, `os.hostname()`, `process.cwd()`, the package name, and the resolved IP, and transmits them to the hardcoded host `xjaipnfhcpawuhzlgzkzub8mc0rqdiuyp.oast.fun` (an Interactsh OOB collector) via two channels: a `dns.lookup` of a hex-encoded subdomain and an `https.request` to `/poc` carrying the JSON payload base64-encoded in an `x-poc` header. The package is published at version 99.99.99 — the canonical dependency-confusion squat marker designed to outrank any internal `@dktunited/anly-tracker-v2` package by semver. Whether labeled a bug-bounty PoC by the author or not, it is live on the public registry and will harm any build system that resolves it.

Compromised versions (1)

  • 99.99.99

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.