Supply-chain threat intelligence

Incident detail

criticalnpm·crypto miner·osv

Malicious code in api-changelly (npm)

api-changelly

Risk score

92

AI summary

Indexed incident for api-changelly (npm).

Description

The package declares preinstall: node index.js, which runs automatically on npm install. index.js collects installer identifiers (os.hostname(), os.platform(), os.arch(), os.userInfo() username/uid/gid/shell, home directory, cwd) and executes whoami and id via child_process.exec, capturing their output. The combined JSON payload is POSTed to a hardcoded Burp Collaborator subdomain https://1439tg4d02vixhxuj0gadpml4ca3ytmi.oastify.com/detox56. The package name api-changelly impersonates the Changelly crypto-exchange brand and ships no legitimate functionality — the only behavior is the install-time beacon. This is the canonical dependency-confusion / reconnaissance-beacon shape targeting internal build systems that may resolve a private changelly-family dependency to this public package.

Technical details

Affected versions

=19.2.11

Indicators

  • affected version=19.2.1175%

Timeline

  1. Advisory published
  2. Indexed by ThreatPkg

Related incidents