VYPR

npm · Malicious package advisory

Malware

triage-bot

MAL-2026-6346

Malicious code in triage-bot (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (2ef2bb10931626a345e1277463f9c2ec6ca36108c2d6131c9210707ea5692a64)
package.json declares `preinstall: node index.js`, so the payload runs automatically on `npm install` with no user action. index.js requires `os`, `fs`, and `https`, then collects hostname, username, home directory, DNS servers, current working directory, and package metadata, and reads the contents of /etc/passwd and /etc/hosts (index.js:18-19). The aggregated JSON is HTTPS POSTed to `t3x60c96rz2gi7qxftonjplmmdsbg14q.oastify.com`, a Burp Collaborator out-of-band-interaction subdomain controlled by the publisher. Package metadata is empty (author '', description '', ISC license) and the package ships no functional code — it exists solely as an install-time beacon, consistent with a dependency-confusion / pen-test harvest payload.

Compromised versions (2)

  • 1.0.1
  • 1.0.2

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.