VYPR

npm · Malicious package advisory

Malware

easy-string-kit

MAL-2026-6459

Malicious code in easy-string-kit (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (8cb77d96cfd133340395df1765df2426f8414d80158e62ee5832ab6d4a18e803)
package.json declares a postinstall lifecycle script that automatically runs on npm install and executes roughly 25 curl POST requests harvesting cloud-instance identity and credential data from /data/* paths (ami-id, instance-id, iam/, identity-credentials/, public-keys/, security-groups, mac, hostname, local/public ipv4, etc.). Each value is sent over plain HTTP to http://3dhd6wwmusbh04m22igmzvb4hvnmblza.oastify.com/, a Burp Suite Collaborator out-of-band exfiltration host controlled by the attacker. The package advertises itself as 'a collection of handy string utility functions' but ships no string-utility code coupled to the install hook — only the exfiltration payload. Author, repository, bugs, and homepage fields are all empty strings, consistent with a disposable namespace-squat used to deliver an exfiltration payload (dependency-confusion / typosquat shape). Installing this package on any host — and especially on a cloud build agent — leaks IAM metadata, SSH public keys, and instance identity to an attacker-controlled collaborator endpoint.

## Source: ossf-package-analysis (afb272eb6208527c57abc9ef604a3776dfdca057e5c9b16e524aa4703df623b4)
The OpenSSF Package Analysis project identified 'easy-string-kit' @ 1.0.1 (npm) as malicious.

It is considered malicious because:

- The package communicates with a domain associated with malicious activity.

- The package executes one or more commands associated with malicious behavior.

Compromised versions (8)

  • 1.0.1
  • 1.0.4
  • 1.0.5
  • 1.0.8
  • 1.0.6
  • 1.0.7
  • 1.0.3
  • 1.0.2

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.