npm · Malicious package advisory
Malwarestarship-timeline
MAL-2026-6485
Malicious code in starship-timeline (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (8a4e552337fa70064e0a04644ee5a64378809a85b281eda24707bc9a6eba473f) starship-timeline@1.0.1 ships no real functionality. Its package.json declares a preinstall hook (`"preinstall": "node index.js"`) that runs automatically on `npm install`. index.js collects hostname, username, home directory, DNS servers, package metadata, and the contents of `/etc/passwd` and `/etc/hosts`, then POSTs the bundle over HTTPS to a hardcoded Burp Collaborator (`*.oastify.com`) subdomain (`5tziqozihbss8jg955ez91bycpij69uy.oastify.com`). The package has empty author and description fields, a single published version, and no other code paths — the exfiltration beacon is its only purpose, matching the standard dependency-confusion / OOB-beacon pattern. Whether deployed as research or as a live attack, installing the package leaks identifying host data and sensitive system files to an attacker-controlled out-of-band endpoint.
Compromised versions (1)
- 1.0.1
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.