npm · Malicious package advisory
Malwareppt-creator
MAL-2026-6355
Malicious code in ppt-creator (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (8040bc58597dee52581beb232688c85302554af0af5726abc15c56a21ac69f2c) On `npm install`, package.json's `preinstall` hook runs index.js, which collects host identifiers (os.hostname(), os.userInfo(), homedir, DNS servers, __dirname, the package's own package.json) and reads the contents of /etc/passwd and /etc/hosts, then HTTPS-POSTs the resulting JSON to a Burp Collaborator subdomain at 3z3l99x7vp8us6lzqm575hfh58bzzqnf.oastify.com. The package has no documented purpose and no library functionality — its only effect on installers is the exfiltration beacon. Any developer or CI system that runs `npm install ppt-creator` leaks user-account enumeration data and host fingerprints to the attacker-controlled collaborator endpoint.
Compromised versions (1)
- 1.0.0
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.