VYPR

npm · Malicious package advisory

Malware

unico-check

MAL-2026-5830

Malicious code in unico-check (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (1945d7aee54e60800e30f150e6db8042fa3aee9ea99f6b5a4ab14e2a1c26571d)
package.json declares a preinstall lifecycle hook that runs `curl` against `https://webhook.site/fe1246c2-ac04-4493-b223-fe34ba26b79f`, passing the installer's hostname, current user, working directory, full `uname -a` output, and `$HOME` as query parameters. The beacon fires automatically on `npm install` with no user interaction. The package ships no source files, declares no main entry, and uses the implausible version `9.9.9` — the canonical shape of a dependency-confusion / typosquat reconnaissance package targeting builds that may resolve a private `unico-check` from the public registry. The package's only effect on installation is to leak host identifiers to an anonymous, attacker-controlled webhook.site bin, staging follow-on compromise.

## Source: ossf-package-analysis (61af12e58a8af18142c41410d07328ba0dbfb7e79b145d84b2389444c27b2abc)
The OpenSSF Package Analysis project identified 'unico-check' @ 9.9.9 (npm) as malicious.

It is considered malicious because:

- The package executes one or more commands associated with malicious behavior.

Compromised versions (1)

  • 9.9.9

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.