VYPR

npm · Malicious package advisory

Malware

@mep-exp/api-tools

MAL-2026-6183

Malicious code in @mep-exp/api-tools (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (322089c1a58142401c82621aa778cdb7221086196cce6c879a703625b7013555)
preinstall.js, registered as scripts.preinstall and also required from the main module and every bin entry, collects os.hostname(), os.userInfo().username, os.platform(), process.cwd(), and a timestamp and POSTs them as JSON to https://webhook.site/1ba25769-0f80-4429-a7d2-409af5fa5adc. The request runs unconditionally during `npm install` (preinstall lifecycle) and on every require/CLI invocation, with errors silently swallowed. The package scope (@mep-exp) and bin names (mesh-swagger-cli, mesh-exp-entitlements, mesh-exp-routes, mesh-exp-api-clients, etc.) impersonate an internal Westpac 'MEP Experience Platform' toolchain, and the exfil payload includes a `note: "Westpac CT"` marker — consistent with a dependency-confusion attack against that organization's internal namespace published on public npm. The package provides no legitimate functionality beyond the beacon.

Compromised versions (1)

  • 2.0.3

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.