npm · Malicious package advisory
Malware@dktunited/anly-tracker-v2
MAL-2026-5459
Malicious code in @dktunited/anly-tracker-v2 (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (8a8893b914c3ba3139a3c8cede191521742237aa7c1c5d64f7ee45dbc5f636a6) scripts/postinstall.js runs unconditionally during `npm install` and exfiltrates installer-side identifiers to an attacker-controlled out-of-band collector. The script fetches the installer's public IP from api.ipify.org, then collects `os.userInfo().username`, `os.hostname()`, `process.cwd()`, the package name, and the resolved IP, and transmits them to the hardcoded host `xjaipnfhcpawuhzlgzkzub8mc0rqdiuyp.oast.fun` (an Interactsh OOB collector) via two channels: a `dns.lookup` of a hex-encoded subdomain and an `https.request` to `/poc` carrying the JSON payload base64-encoded in an `x-poc` header. The package is published at version 99.99.99 — the canonical dependency-confusion squat marker designed to outrank any internal `@dktunited/anly-tracker-v2` package by semver. Whether labeled a bug-bounty PoC by the author or not, it is live on the public registry and will harm any build system that resolves it.
Compromised versions (1)
- 99.99.99
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.