npm · Malicious package advisory
Malwaredomains-billing-types
MAL-2026-6980
Malicious code in domains-billing-types (npm)
Details
---
_-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (4860726efc056e319a24e46ac4e179809cc294267679a9b8122c5205b49369f1)
domains-billing-types@99.91.1 executes `node index.js` from its `postinstall` lifecycle script. On install, index.js reads `os.hostname()` and `os.userInfo().username` and embeds them as subdomain labels in a DNS A-record lookup to `<hostname>.<username>.aiwm5lowso4vtjynsoije5q4rvxmlf94.oastify.com` (Burp Suite Collaborator, an out-of-band interaction server). The DNS resolution transmits the installer's host and user identity to an attacker-controlled OAST endpoint at install time, without consent. The package has anonymous authorship, an empty description ("Billing!"), and no real functionality — the name and shape are consistent with a dependency-confusion probe against an internal package namespace, with the DNS beacon confirming any successful resolution.
## Source: ossf-package-analysis (11558e73bc928dd5dadd7ba70e9256e5458e6d829c63a577a31740d2f6c553e1)
The OpenSSF Package Analysis project identified 'domains-billing-types' @ 99.91.1 (npm) as malicious.
It is considered malicious because:
- The package communicates with a domain associated with malicious activity.
Compromised versions (1)
- 99.91.1
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.