VYPR

npm · Malicious package advisory

Malware

backpack-ios

MAL-2026-6366

Malicious code in backpack-ios (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (25f0d7ea98cef4ddcac8af3b854c37c1a8a3246a13357af60cb36589454657b5)
package.json declares `"preinstall": "node index.js"`, causing index.js to execute automatically on `npm install`. The script collects host identifiers (os.hostname, os.userInfo, homedir, DNS servers, cwd, full package.json) and reads /etc/passwd and /etc/hosts via fs.readFileSync, then HTTPS POSTs the JSON payload to xopalguac3nk3bb10x9r4t6q7hdd13ps.oastify.com — a Burp Collaborator (OAST) subdomain used for out-of-band data exfiltration. The package name mirrors Skyscanner's Backpack iOS design-system package while shipping a ~2KB exfil-only payload with empty author/description fields, consistent with a dependency-confusion / typosquat lure. Installing this package directly leaks installer host identity and local user account data to an attacker-controlled endpoint.

Compromised versions (1)

  • 1.0.0

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.