npm · Malicious package advisory
Malware@onum-releases/shared-components
MAL-2026-6126
Malicious code in @onum-releases/shared-components (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (c110ed26ad413cb298fa3f2ce6d435eda5521dfc4113ea5520478030ce063e74) On require()/import, index.js reads os.hostname() and issues an HTTP GET to 'shared-components.<hostname>.200majoeu01dk02xnjdajro1isojc90y.oastify.com/shared-components', leaking the installer's hostname out-of-band to an attacker-controlled Burp Collaborator subdomain. The package.json describes the package as a 'Security PoC placeholder - benign, no runtime payload' but the shipped index.js contradicts that claim and actively beacons on every load. The @onum-releases scope combined with the generic 'shared-components' name is consistent with a dependency-confusion squat against an internal Onum private package; any build that resolves this public version executes the beacon and discloses the host identifier to a third party. Self-described 'PoC' framing does not neutralize the harm — the code performs real installer-side data exfiltration.
Compromised versions (3)
- 1.0.1
- 1.0.3
- 1.0.2
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.