VYPR

npm · Malicious package advisory

Malware

@giftyhq/widget-components

MAL-2026-5747

Malicious code in @giftyhq/widget-components (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (8ad3f12a6a12fbfa60e4a72747df6974f89906200568926b99a8c93c489b5e62)
package.json declares `"preinstall": "node index.js"`, which fires automatically on `npm install`. index.js collects host fingerprinting data — `os.hostname()`, `os.userInfo()`, `process.platform`, uid/gid, shell, cwd, and the output of `child_process.exec('whoami')` and `exec('id')` — and POSTs the result as JSON to the hardcoded URL `https://zad79wtflht20n15czfieir3quwlkb80.oastify.com/detox56`. The destination is a Burp Collaborator (oastify.com) out-of-band subdomain used as attacker-controlled exfiltration infrastructure. The package ships no legitimate component code; metadata is empty (no author, no description) and the package's only effect is the install-time recon beacon. Name and scope are consistent with a dependency-confusion / namespace-squat lure.

Compromised versions (1)

  • 19.12.11

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.