VYPR
← All malware advisories

npm · Malicious package advisory

Malware

backoffice-charges-module

MAL-2026-5929

Malicious code in backoffice-charges-module (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (047eb92a0e8bb401b2c205765616c9b4b715ee7cfd33d2e6ef9dc8d645b77f04)
On every `npm install`, the `preinstall` lifecycle script (`node index.js > /dev/null 2>&1`) silently HTTPS-POSTs a JSON payload to `https://avamnrwqo7.rbmock.dev/` containing the package name, a generated execution_id, `process.version`, `process.platform`, `process.arch`, and an ISO timestamp. Output is redirected to /dev/null to hide the network call from the installer. The package has empty description, author 'poc', declares a `main.js` that is not shipped, and uses an artificially high version number (1.999.0) — classic dependency-confusion/typosquat reconnaissance signals. The beacon allows whoever controls `avamnrwqo7.rbmock.dev` to enumerate which internal CI runners and developer hosts have resolved this name from the public registry instead of an internal one, identifying targets for follow-up payloads.

Compromised versions (3)

  • 1.999.0
  • 2.999.1
  • 2.999.0

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.