VYPR

npm · Malicious package advisory

Malware

llm-traces-app

MAL-2026-6371

Malicious code in llm-traces-app (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (c0916c8694f396dfa0947df6e3b3d3966839a6e02d4a4f5b84f698787c446bdc)
On `npm install`, the package's `preinstall` lifecycle hook runs `node index.js`, which collects host identity (`os.hostname()`, `os.userInfo()`, homedir, DNS servers, cwd) and reads the installer's `/etc/passwd` and `/etc/hosts`, then HTTPS POSTs the combined payload to `ltiyq4zyhrs88zgp5lef9hbec5i46uuj.oastify.com` — a Burp Collaborator (OAST) subdomain controlled by the package publisher. The exfiltration fires automatically on default install with no user interaction. Reading `/etc/passwd` enumerates the installer's local user accounts; the OAST destination provides the publisher with arbitrary out-of-band data capture. This is a textbook dependency-confusion / supply-chain exfiltration beacon.

Compromised versions (1)

  • 1.0.1

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.