npm · Malicious package advisory
Malware@w2d/web-components
MAL-2026-5541
Malicious code in @w2d/web-components (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (2b8292b80f3e692b249561a14d94d2dfa0196f2377e7eee027b8dd630d251bd1) The package targets the @w2d scope with an artificially high version (2.999.999) — the canonical dependency-confusion shape designed to outrank an internal registry's real package. On `npm install`, postinstall.js collects host identity (os.hostname(), os.userInfo(), process.cwd(), process.platform), base64-encodes the payload, and exfiltrates it to a hardcoded Burp Collaborator OAST domain `929u6o01dc28rl4mend089t9b0hr5ht6.oastify.com` over both HTTPS GET (postinstall.js:28) and DNS lookup (postinstall.js:31). Comments in the file self-describe the package as a dependency-confusion PoC against Allwyn AG / win2day. Regardless of the author's stated bug-bounty framing, any installer whose registry configuration resolves the public @w2d/web-components instead of the intended internal package will silently beacon host/user/cwd identifiers to the attacker-controlled OAST host on install.
Compromised versions (1)
- 2.999.999
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.