npm · Malicious package advisory
Malwareuidai_reusable_components
MAL-2026-5910
Malicious code in uidai_reusable_components (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (5875a720dc1cfc6e30a67b003fc43975fbef2e11352e715e19e55e54dd84ae67) On `npm install`, the preinstall lifecycle script in package.json executes an inline Node one-liner that collects the installer's hostname, OS username, NODE_ENV, current working directory, local IPv4 addresses (via `ipconfig|findstr IPv4` on Windows or `hostname -I` on Linux), the configured npm registry URL (`npm config get registry`), and Windows USERDOMAIN / Unix `id` output. The collected data is URL-encoded and embedded as a subdomain label in an HTTP GET to `*.d8ofndiplbq1d996mde0a9yukto9dm49e.oast.online`, an Interactsh out-of-band callback host controlled by the package author. The package's own description states it is a 'PoC for dependency confusion' targeting the UIDAI (Aadhaar / India's national identity authority) internal namespace, and the harvested private npm registry URL is the canonical signal an attacker uses to confirm a dependency-confusion victim. The package ships no actual UI component functionality — its only effect on install is the exfiltration beacon. ## Source: ghsa-malware (3786378a8cbd8c58a5a72b64f5f8aa2b4c36229c55de6fa472740ff4a89d4c2a) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.
Compromised versions (5)
- 0.4.3
- 0.4.5
- 0.4.2
- 0.4.6
- 0.4.4
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.