VYPR

npm · Malicious package advisory

Malware

@salem_jalal/osc-components

MAL-2026-6479

Malicious code in @salem_jalal/osc-components (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (cb26651411f61b6420c6291f7b3a7a4869bb670f1d4c75ddfc37481c50f3aae7)
The package's postinstall hook (install.js, wired via package.json scripts.postinstall) runs on every `npm install` and transmits installer host identifiers — hostname, OS platform/arch, username, current working directory, Node version, npm registry env, and DNS server list — to http://dm-tech.ly:8001/poc-osc/callback over plain HTTP as a URL-encoded query parameter. The main module (index.js) contains an IIFE that, when loaded in a browser context (e.g., bundled into a downstream web app), harvests document.cookie, all localStorage entries, the current URL, and userAgent, and ships them to http://dm-tech.ly:8001/poc-osc/exfil with `credentials:'include'`. Although published under the personal scope @salem_jalal, the payload self-identifies internally as `@dx-ui/osc-components` at the same version `1981.17.7`, indicating a dependency-confusion / namespace-impersonation attack against the @dx-ui scope. Console and path strings labeled `[PoC]` / `poc-osc` are cover framing; the code runs unconditionally on real installers.

Compromised versions (1)

  • 1981.17.7

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.