npm · Malicious package advisory
Malwaregoofy-sdk
MAL-2026-6997
Malicious code in goofy-sdk (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (779daa3389f4ff3ea7ca2acb4e0202b4465e90fa0d8b7bdcc0e3785f34e454a2) goofy-sdk@9999.0.0 is a dependency-confusion squat: the version is inflated to 9999.0.0 to shadow an internal package of the same name in build systems that resolve unscoped names against the public npm registry. On install, the package's preinstall hook executes callback.js, which reads os.hostname(), os.userInfo().username, process.platform, and process.cwd() and transmits them out-of-band to *.oast.fun (Interactsh OAST callback infrastructure) via a DNS subdomain-encoded lookup and an HTTPS POST. Any build system that mis-resolves the internal name to this public package will silently leak internal host identity to a third-party callback service. Self-declared bug-bounty/research framing does not change the installer-side impact — the harm (unconsented host-identity beacon on install) is the same regardless of motive.
Compromised versions (1)
- 9999.0.0
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.