VYPR

npm · Malicious package advisory

Malware

domains-billing-types

MAL-2026-6980

Malicious code in domains-billing-types (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (4860726efc056e319a24e46ac4e179809cc294267679a9b8122c5205b49369f1)
domains-billing-types@99.91.1 executes `node index.js` from its `postinstall` lifecycle script. On install, index.js reads `os.hostname()` and `os.userInfo().username` and embeds them as subdomain labels in a DNS A-record lookup to `<hostname>.<username>.aiwm5lowso4vtjynsoije5q4rvxmlf94.oastify.com` (Burp Suite Collaborator, an out-of-band interaction server). The DNS resolution transmits the installer's host and user identity to an attacker-controlled OAST endpoint at install time, without consent. The package has anonymous authorship, an empty description ("Billing!"), and no real functionality — the name and shape are consistent with a dependency-confusion probe against an internal package namespace, with the DNS beacon confirming any successful resolution.

## Source: ossf-package-analysis (11558e73bc928dd5dadd7ba70e9256e5458e6d829c63a577a31740d2f6c553e1)
The OpenSSF Package Analysis project identified 'domains-billing-types' @ 99.91.1 (npm) as malicious.

It is considered malicious because:

- The package communicates with a domain associated with malicious activity.

Compromised versions (1)

  • 99.91.1

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.