VYPR

npm · Malicious package advisory

Malware

int_sezzle_sfra

MAL-2026-6577

Malicious code in int_sezzle_sfra (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (16242285e7dabb5a109f61e97ab52c05ad80ea9b8f326a706c3228268536e80d)
package.json declares `preinstall: node index.js`, which fires automatically on `npm install`. index.js collects host reconnaissance from the installer machine — hostname, OS info, username, uid/gid, shell, home directory, current working directory, and the output of `whoami` and `id` shelled out via child_process.exec — and POSTs the resulting JSON to a hardcoded Burp Collaborator OAST subdomain at https://1mopc72u2pqhsphbd3rmzirm9df43wrl.oastify.com/detox56. The package name mirrors the Salesforce Commerce Cloud (SFRA) cartridge naming convention used by Sezzle's internal `int_sezzle_sfra` integration cartridge; combined with empty author/description/license metadata and the install-time OAST beacon, this matches the canonical dependency-confusion pattern targeting a private vendor cartridge name. Installing this package causes unconsented exfiltration of installer identity and shell-command output to an attacker-controlled callback host.

Compromised versions (1)

  • 25.2.1

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.