npm · Malicious package advisory
Malwareoa-crm-webapi
MAL-2026-5745
Malicious code in oa-crm-webapi (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (00cdaf89f7ae5fd12400ea55acd4849e8e5095dfc51188d3339ecdfa5dc0f2a1) oa-crm-webapi@9.9.99 is a dependency-confusion payload squatting an internal-sounding package name. package.json declares a postinstall hook (`node beacon.js`) which fires automatically on `npm install`. beacon.js reads `os.hostname()` and transmits it to the attacker-controlled Burp Collaborator host `yfhjhookbia8zov0q5hh772xroxfl69v.oastify.com` via two channels: a DNS lookup of `<nonce>.<hostname>.<collaborator-host>` (out-of-band DNS exfil) and an HTTPS POST to the same host with the hostname in the body. The 9.9.99 version + generic 'internal placeholder' description is the canonical shape used to hijack private package names by overriding the legitimate internal registry resolution. A successful install both proves code execution on the installer and leaks the internal hostname to an external attacker.
Compromised versions (1)
- 9.9.99
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.