VYPR
← All malware advisories

npm · Malicious package advisory

Malware

@whatnot-web/www-legacy

MAL-2026-5622

Malicious code in @whatnot-web/www-legacy (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (3fe99986935f0b2d200c3192dfc07fc1b6da96c78ac8a4f0a67aa23771e82709)
@whatnot-web/www-legacy@99.1.1 is a dependency-confusion shell targeting the Whatnot org scope. The package ships an empty library (index.js exports `{}`), a generic description, blank author, and an inflated version (99.1.1) — the canonical dependency-confusion shape designed to win resolution against an internal package of the same name. On `npm install`, postinstall.js collects os.hostname(), os.userInfo().username, process.cwd(), and a 2-level directory listing of the working directory, base64-encodes the JSON payload, and POSTs it via HTTPS to the hardcoded interactsh collector wybqtvzmfhssbvhokfgb61yfn41sqvc9c.oast.fun. A hex-encoded DNS-lookup fallback to the same host is included to defeat HTTPS egress filtering. The collected information identifies internal build hosts and source-tree layouts and is suitable for staging follow-on attacks against the targeted organization.

## Source: ossf-package-analysis (e45700e1f6645fd91fddc41fc131df1dfe2df1e3b0c049661f1185f61010fd24)
The OpenSSF Package Analysis project identified '@whatnot-web/www-legacy' @ 99.1.2 (npm) as malicious.

It is considered malicious because:

- The package communicates with a domain associated with malicious activity.

Compromised versions (2)

  • 99.1.2
  • 99.1.1

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.