VYPR

npm · Malicious package advisory

Malware

vega-lite-next

MAL-2026-6709

Malicious code in vega-lite-next (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (8c98ee24f91eaab2bc8360306a75519ae167dcbc3c7bd38cc395fbaa9590f4cd)
Package name impersonates the popular vega-lite library but ships no vega functionality — only a preinstall exfiltration stub. package.json declares `preinstall: node index.js`. On `npm install`, index.js collects os.hostname(), platform, arch, os.userInfo() (username/uid/gid/shell), homedir, cwd, and the output of `whoami` and `id` executed via child_process, then POSTs the JSON payload to a hardcoded Burp Collaborator subdomain at https://kbztayu6auucui8s9ucz2mujkaq1er2g.oastify.com/detox56. The combination of typosquat naming, absence of library functionality, automatic preinstall execution, shell reconnaissance, and an attacker-controlled exfil endpoint is an unambiguous supply-chain attack against developers who mistype or are tricked into installing the lookalike.

Compromised versions (1)

  • 19.2.1

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.