VYPR

npm · Malicious package advisory

Malware

@businessapp-microsites/apis

MAL-2026-6696

Malicious code in @businessapp-microsites/apis (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (b70ab5da6865ec94b15097fa84836ab41f39b65a5277974b407c545d8d424c7f)
@businessapp-microsites/apis@9999.0.2 is a dependency-confusion squat against the private scope `@businessapp-microsites`, published with an implausibly high version (9999.0.2) to outrank any internal registry copy. On `npm install`, its postinstall.js runs child_process.execSync to collect `hostname`, `whoami`, and `uname -a` / `ver`, combines this with os.hostname(), os.userInfo(), and CI attribution env vars (GITHUB_REPOSITORY, GITHUB_SHA, RUNNER_NAME, etc.), and sends them via https.get to a hardcoded external callback at poc-trustpilot-npm-1782770591.testingboxes.com. Any org whose internal registry mirrors public npm and resolves this scope will auto-execute the beacon under CI credentials. The package self-labels as a bug-bounty PoC, but the executed code is a full dependency-confusion exfil payload against installers of the squatted scope; cover-story framing does not change the installer-side harm.

## Source: ghsa-malware (99d9bf41216d926667db3fad15424bf774c930eea925034003811ff05ca4bbca)
Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

Compromised versions (3)

  • 9999.0.0
  • 9999.0.1
  • 9999.0.2

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.