npm · Malicious package advisory
Malware@onum-releases/ixel
MAL-2026-6124
Malicious code in @onum-releases/ixel (npm)
Details
---
_-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (188c65369497c00333fc54291c970071044f3237a255387903a707cfd2711599)
On import, index.js reads os.hostname() and issues an HTTPS GET to `ixel.<hostname>.200majoeu01dk02xnjdajro1isojc90y.oastify.com/ixel` (oastify.com is Burp Suite's Collaborator out-of-band interaction domain). The hostname is embedded as a DNS subdomain label, so the DNS resolution alone leaks the installer's hostname to an attacker-controlled nameserver regardless of whether the HTTP request succeeds. Any developer machine or CI runner that `require()`s this package — directly or transitively — sends a host identifier to the operator of the configured Collaborator instance. The package.json description ("Security PoC placeholder - benign, no runtime payload") contradicts the shipped code, and the `@onum-releases` scope appears designed to resemble a legitimate vendor releases namespace.
Compromised versions (3)
- 1.0.2
- 1.0.3
- 1.0.1
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.