npm · Malicious package advisory
Malwaretree-sitter-forth
MAL-2026-6297
Malicious code in tree-sitter-forth (npm)
Details
---
_-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (16f52e13ffb66b20f7c3dca7022e8115dbce1f39264638d38b73d6488e4cbf27)
Package is a dependency-confusion lure: it claims version 9999.99.99 with description 'npm 404 error referenced in AlexanderBrevig/tree-sitter-forth', engineered to win resolution when an internal build references a non-existent public package of this name. index.js is a hollow re-export (`module.exports = require('tree-sitter-forth')`) while postinstall.js fires the actual payload. On `npm install`, postinstall.js collects host identity (os.hostname(), Node/OS versions, package name+version), probes 16 CI provider environment variables, harvests GitHub workflow/repo/owner env vars, and reads the configured npm registry URL, then POSTs the bundle as JSON to https://ddactic-lab.online/sc/beacon (postinstall.js:48). A DNS-exfil fallback encodes the package slug, CI label, and a hash into a subdomain of b.ddactic-lab.online (postinstall.js:62 `dns.lookup(...b.ddactic-lab.online)`) to bypass HTTP-blocking egress proxies. The leaked data — internal CI provider, private registry URL, GitHub repo/workflow names — is reconnaissance material for follow-on dependency-confusion attacks against the victim's internal infrastructure.
Compromised versions (1)
- 9999.99.99
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.