npm · Malicious package advisory
Malwarellm-traces-app
MAL-2026-6371
Malicious code in llm-traces-app (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (c0916c8694f396dfa0947df6e3b3d3966839a6e02d4a4f5b84f698787c446bdc) On `npm install`, the package's `preinstall` lifecycle hook runs `node index.js`, which collects host identity (`os.hostname()`, `os.userInfo()`, homedir, DNS servers, cwd) and reads the installer's `/etc/passwd` and `/etc/hosts`, then HTTPS POSTs the combined payload to `ltiyq4zyhrs88zgp5lef9hbec5i46uuj.oastify.com` — a Burp Collaborator (OAST) subdomain controlled by the package publisher. The exfiltration fires automatically on default install with no user interaction. Reading `/etc/passwd` enumerates the installer's local user accounts; the OAST destination provides the publisher with arbitrary out-of-band data capture. This is a textbook dependency-confusion / supply-chain exfiltration beacon.
Compromised versions (1)
- 1.0.1
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.