npm · Malicious package advisory
Malwareing-feat-itsme-oidc-authentication
MAL-2026-5780
Malicious code in ing-feat-itsme-oidc-authentication (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (175d0dba1f70bc84bcd4e29b57e0f7831248582614cd146af7d1ea6d1d057cd5) On npm install, package.json's preinstall hook executes poc.js, which collects os.hostname(), os.userInfo().username, process.cwd(), and process.platform, base64-encodes the values, and issues an HTTPS GET to https://d8ntv8plujrg25sttkvg31bowtxhm7ex7.oast.live/cb?id=<token>&d=<b64> — sending installer host, user, working directory, and platform to an external Burp Collaborator / interactsh subdomain without consent. The package is named to mimic an internal ING Bank namespace and pinned to version 99.99.99 to win resolution in dependency-confusion scenarios. Any developer or CI environment that resolves this name leaks identifying host data to an attacker-controlled collaborator endpoint. This matches the textbook dependency-confusion exfiltration pattern regardless of any authorization claim made by the author.
Compromised versions (1)
- 99.99.99
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.