VYPR

npm · Malicious package advisory

Malware

menu-filter-widget-web

MAL-2026-5486

Malicious code in menu-filter-widget-web (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (bed4a7ece362ef59f2b621b3f64d06e899740c8ca8d73e437145d48b960187ce)
package.json declares a postinstall lifecycle hook that runs callback.js on every npm install. callback.js reads os.hostname() and sends it to a hardcoded oastify.com (Burp Collaborator) URL via HTTPS GET, with a fallback DNS lookup that embeds the hostname as a subdomain label. Both channels carry a unique token plus the installer's hostname, registering the install with a remote attacker-controlled collaborator on every install. The package self-describes as a 'PoC' but is published to the public registry, so any installer leaks host identity automatically without consent.

Compromised versions (1)

  • 0.0.1

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.