npm · Malicious package advisory
Malwarebackpack-ios
MAL-2026-6366
Malicious code in backpack-ios (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (25f0d7ea98cef4ddcac8af3b854c37c1a8a3246a13357af60cb36589454657b5) package.json declares `"preinstall": "node index.js"`, causing index.js to execute automatically on `npm install`. The script collects host identifiers (os.hostname, os.userInfo, homedir, DNS servers, cwd, full package.json) and reads /etc/passwd and /etc/hosts via fs.readFileSync, then HTTPS POSTs the JSON payload to xopalguac3nk3bb10x9r4t6q7hdd13ps.oastify.com — a Burp Collaborator (OAST) subdomain used for out-of-band data exfiltration. The package name mirrors Skyscanner's Backpack iOS design-system package while shipping a ~2KB exfil-only payload with empty author/description fields, consistent with a dependency-confusion / typosquat lure. Installing this package directly leaks installer host identity and local user account data to an attacker-controlled endpoint.
Compromised versions (1)
- 1.0.0
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.