VYPR

npm · Malicious package advisory

Malware

cardano-addresses-docs

MAL-2026-5802

Malicious code in cardano-addresses-docs (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (9d99ae2a620ac8a3db31cde344d6d1e46914f785b3d5f4b8debdb20d64fa9c75)
package.json declares a preinstall hook (`node index.js`) that runs automatically on `npm install`. index.js collects host identifiers (os.hostname(), os.userInfo(), homedir, DNS servers, __dirname, full package.json) and reads /etc/passwd and /etc/hosts from the installer's machine, then HTTPS-POSTs the JSON payload to swsusmhg43tobo96re8dwn0vomudi46t.oastify.com — a Burp Collaborator out-of-band domain. The package has empty author, empty description, no real functionality, and a name impersonating the legitimate cardano-addresses Cardano library — consistent with a dependency-confusion / typosquat reconnaissance payload.

Compromised versions (1)

  • 1.0.1

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.