VYPR

npm · Malicious package advisory

Malware

ppt-creator

MAL-2026-6355

Malicious code in ppt-creator (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (8040bc58597dee52581beb232688c85302554af0af5726abc15c56a21ac69f2c)
On `npm install`, package.json's `preinstall` hook runs index.js, which collects host identifiers (os.hostname(), os.userInfo(), homedir, DNS servers, __dirname, the package's own package.json) and reads the contents of /etc/passwd and /etc/hosts, then HTTPS-POSTs the resulting JSON to a Burp Collaborator subdomain at 3z3l99x7vp8us6lzqm575hfh58bzzqnf.oastify.com. The package has no documented purpose and no library functionality — its only effect on installers is the exfiltration beacon. Any developer or CI system that runs `npm install ppt-creator` leaks user-account enumeration data and host fingerprints to the attacker-controlled collaborator endpoint.

Compromised versions (1)

  • 1.0.0

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.