npm · Malicious package advisory
Malware@adobesign/as-dev-tools
MAL-2026-6760
Malicious code in @adobesign/as-dev-tools (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (6752e4d30c584cb5ca6f67265c983257c1531aa306b47ec00b43ddae83fe2532) The package's package.json declares a postinstall lifecycle hook that pipes the output of `whoami` through curl to a hardcoded Burp Collaborator subdomain (o5u9v30a13fddwo3ey623df59wfn3er3.oastify.com). This fires automatically on `npm install`, leaking the installer's OS username to an attacker-controlled out-of-band callback host. The package is otherwise empty of legitimate content. The combination of the @adobesign scope, an implausible 99.9.9 version, and an out-of-band beacon is the canonical dependency-confusion attack shape: the public package is designed to be resolved in place of an internal Adobe Sign package of the same name, and any build that resolves it will beacon the installer's identity to the attacker. ## Source: ossf-package-analysis (89bc395364731dd31b151f421bf94decd4441180ae9fa8e16ae540015c3bdc51) The OpenSSF Package Analysis project identified '@adobesign/as-dev-tools' @ 99.9.10 (npm) as malicious. It is considered malicious because: - The package communicates with a domain associated with malicious activity. - The package executes one or more commands associated with malicious behavior.
Compromised versions (2)
- 99.9.10
- 99.9.9
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.