npm · Malicious package advisory
Malware@civitatis/bot-ui
MAL-2026-6069
Malicious code in @civitatis/bot-ui (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (e51e58cf925eb7dd4e084a2e78e22b0a0db0f1f82663101e34110258839f98f7) The package declares `"preinstall": "node index.js"` in package.json, causing index.js to execute automatically on `npm install`. index.js requires `child_process`, `os`, `https`, and `http`, then collects host and user identity — `whoami`, `id`, `os.hostname()`, `process.platform`, architecture, homedir, `os.userInfo()` (username/uid/gid/shell), OS details, and cwd — and POSTs them as JSON to the hardcoded URL `https://277k5lhnsb38srix1rr2le9g177yvpje.oastify.com/detox56` (oastify.com is the Burp Collaborator out-of-band interaction service, commonly abused as recon/C2 infrastructure). The package ships no legitimate functionality — empty description, empty author, no UI code despite the `bot-ui` name — and the `@civitatis` scope plus generic name shape are consistent with a dependency-confusion attack against an internal namespace. Installing this package on any developer machine or CI runner immediately leaks host identity to the attacker.
Compromised versions (2)
- 15.12.11
- 14.12.11
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.