VYPR

npm · Malicious package advisory

Malware

@coze-common/chat-area

MAL-2026-5533

Malicious code in @coze-common/chat-area (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (89b49d08422192fa57b4739bf462f0e8b3c206b2c3cfad15578ac92dd6f47b04)
This package is a dependency-confusion/namespace-squat against ByteDance's @coze-common scope. The library is hollow — index.js is `module.exports = {}` and the description ('Browser accessibility and security utilities for React') does not match the package name. The harm runs at install time: package.json declares `postinstall: node postinstall.js`, and postinstall.js collects os.hostname(), os.userInfo().username, process.cwd(), and a recursive directory listing of the install working directory, base64-encodes the JSON payload, and POSTs it to https://wybqtvzmfhssbvhokfgbvgaalpfg1vneq.oast.fun/ via https.request. A DNS covert channel (dns.lookup of a hex-encoded hostname+username subdomain under the same oast.fun host) is used as fallback to bypass HTTP egress filters. oast.fun is Interactsh out-of-band infrastructure used for reconnaissance against the installer's machine; the version 99.1.1 is the shadowing pattern used to win dependency-confusion resolution against the legitimate private @coze-common scope.

Compromised versions (1)

  • 99.1.1

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.