npm · Malicious package advisory
Malwaremenu-filter-widget-web
MAL-2026-5486
Malicious code in menu-filter-widget-web (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (bed4a7ece362ef59f2b621b3f64d06e899740c8ca8d73e437145d48b960187ce) package.json declares a postinstall lifecycle hook that runs callback.js on every npm install. callback.js reads os.hostname() and sends it to a hardcoded oastify.com (Burp Collaborator) URL via HTTPS GET, with a fallback DNS lookup that embeds the hostname as a subdomain label. Both channels carry a unique token plus the installer's hostname, registering the install with a remote attacker-controlled collaborator on every install. The package self-describes as a 'PoC' but is published to the public registry, so any installer leaks host identity automatically without consent.
Compromised versions (1)
- 0.0.1
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.