npm · Malicious package advisory
Malwareeasy-string-kit
MAL-2026-6459
Malicious code in easy-string-kit (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (8cb77d96cfd133340395df1765df2426f8414d80158e62ee5832ab6d4a18e803) package.json declares a postinstall lifecycle script that automatically runs on npm install and executes roughly 25 curl POST requests harvesting cloud-instance identity and credential data from /data/* paths (ami-id, instance-id, iam/, identity-credentials/, public-keys/, security-groups, mac, hostname, local/public ipv4, etc.). Each value is sent over plain HTTP to http://3dhd6wwmusbh04m22igmzvb4hvnmblza.oastify.com/, a Burp Suite Collaborator out-of-band exfiltration host controlled by the attacker. The package advertises itself as 'a collection of handy string utility functions' but ships no string-utility code coupled to the install hook — only the exfiltration payload. Author, repository, bugs, and homepage fields are all empty strings, consistent with a disposable namespace-squat used to deliver an exfiltration payload (dependency-confusion / typosquat shape). Installing this package on any host — and especially on a cloud build agent — leaks IAM metadata, SSH public keys, and instance identity to an attacker-controlled collaborator endpoint. ## Source: ossf-package-analysis (afb272eb6208527c57abc9ef604a3776dfdca057e5c9b16e524aa4703df623b4) The OpenSSF Package Analysis project identified 'easy-string-kit' @ 1.0.1 (npm) as malicious. It is considered malicious because: - The package communicates with a domain associated with malicious activity. - The package executes one or more commands associated with malicious behavior.
Compromised versions (8)
- 1.0.1
- 1.0.4
- 1.0.5
- 1.0.8
- 1.0.6
- 1.0.7
- 1.0.3
- 1.0.2
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.