VYPR

npm · Malicious package advisory

Malware

vend-utilities

MAL-2026-5832

Malicious code in vend-utilities (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (89ed34c4d09a0f8bb373f141d18157203eb73efec9461434a7957dfe17ba72f1)
package.json declares `preinstall: node index.js`, causing index.js to run automatically on `npm install`. The script collects installer host identity (os.hostname(), os.userInfo() including uid/gid/shell/homedir, process.cwd(), process.platform/arch, OS release, memory, cpus) and executes `whoami` and `id` via child_process to capture their output, then POSTs the combined JSON payload to a hardcoded Burp Collaborator subdomain at https://6cjy9tle5weq8pr6m8r5znzd349vxmlb.oastify.com/detox56 (index.js:7,:83). The package has empty author/description metadata and a dependency-confusion-style name. An undeclared 10.8 KB sibling file `i` ships in the tarball but is not reached by the preinstall path. Installing this package leaks installer host identity and shell-recon output to an attacker-controlled endpoint.

Compromised versions (1)

  • 14.12.11

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.