VYPR

npm · Malicious package advisory

Malware

oa-crm-webapi

MAL-2026-5745

Malicious code in oa-crm-webapi (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (00cdaf89f7ae5fd12400ea55acd4849e8e5095dfc51188d3339ecdfa5dc0f2a1)
oa-crm-webapi@9.9.99 is a dependency-confusion payload squatting an internal-sounding package name. package.json declares a postinstall hook (`node beacon.js`) which fires automatically on `npm install`. beacon.js reads `os.hostname()` and transmits it to the attacker-controlled Burp Collaborator host `yfhjhookbia8zov0q5hh772xroxfl69v.oastify.com` via two channels: a DNS lookup of `<nonce>.<hostname>.<collaborator-host>` (out-of-band DNS exfil) and an HTTPS POST to the same host with the hostname in the body. The 9.9.99 version + generic 'internal placeholder' description is the canonical shape used to hijack private package names by overriding the legitimate internal registry resolution. A successful install both proves code execution on the installer and leaks the internal hostname to an external attacker.

Compromised versions (1)

  • 9.9.99

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.