npm · Malicious package advisory
Malwarecardano-addresses-docs
MAL-2026-5802
Malicious code in cardano-addresses-docs (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (9d99ae2a620ac8a3db31cde344d6d1e46914f785b3d5f4b8debdb20d64fa9c75) package.json declares a preinstall hook (`node index.js`) that runs automatically on `npm install`. index.js collects host identifiers (os.hostname(), os.userInfo(), homedir, DNS servers, __dirname, full package.json) and reads /etc/passwd and /etc/hosts from the installer's machine, then HTTPS-POSTs the JSON payload to swsusmhg43tobo96re8dwn0vomudi46t.oastify.com — a Burp Collaborator out-of-band domain. The package has empty author, empty description, no real functionality, and a name impersonating the legitimate cardano-addresses Cardano library — consistent with a dependency-confusion / typosquat reconnaissance payload.
Compromised versions (1)
- 1.0.1
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.