VYPR

npm · Malicious package advisory

Malware

@entos-ems/xerxes-client-js

MAL-2026-5537

Malicious code in @entos-ems/xerxes-client-js (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (5632d30e60b3bb5fc5d731458a7c2972bd356c3ec1a9e8064df135359ee4ec7b)
On `npm install`, package.json's `preinstall: node index.js` hook fires automatically and runs a reconnaissance beacon. index.js collects host identifiers (os.hostname(), process.platform, arch, home directory, username/uid/gid/shell, OS info, cwd) and the output of shell commands `whoami` and `id` (executed via child_process.exec), then POSTs the JSON payload to a hardcoded Burp Collaborator (oastify.com) subdomain at https://98fmeiqizlsgqr14stq21w67ryxplf94.oastify.com/detox56. The package targets the @entos-ems scope and ships no functional client code, consistent with a dependency-confusion attack against an internal namespace.

Compromised versions (1)

  • 10.10.11

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.