npm · Malicious package advisory
Malware@outmarket/ui
MAL-2026-6291
Malicious code in @outmarket/ui (npm)
Details
---
_-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (7241a2e167db383267fa82ce9660a44f7bcca4b6d4f11bb7ca85eaa6b432a47e)
package.json declares a postinstall script that runs automatically on `npm install` and performs `require('https').get(...)` to a Burp Collaborator subdomain (`7rzjsf29azci2qjsm6kxt23ag1mtanyc.oastify.com`), passing `os.hostname()` and `os.userInfo().username` as query parameters. Any developer or build system installing this package leaks host identity to an external attacker-controlled OAST endpoint. The package's own description (`PENTEST-PoC: Dependency confusion - SecurifyAI engagement 2026-06-23`) and the version `9.9.9` published under the `@outmarket` scope indicate the package is designed to win resolution against an internal private package of the same name and harvest beacons from anyone in the targeted organization who installs it.
Compromised versions (1)
- 9.9.9
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.