Supply-chain threat intelligence

Incident detail

criticalnpm·credential theft·osv

Malicious code in consumerweb (npm)

consumerweb

Risk score

92

AI summary

Indexed incident for consumerweb (npm).

Description

On npm install, both preinstall and postinstall lifecycle hooks execute index.js, which collects host reconnaissance (os.hostname(), os.userInfo().username, os.homedir(), current working directory, DNS servers from dns.getServers(), and package metadata) and exfiltrates it via DNS lookup and an HTTPS POST to a subdomain of oast.fun (interact.sh OAST collaborator). The package name and description ('Internal App bUg b0UntY gollum22 h1') indicate a dependency-confusion attempt targeting an internal package name; any successful install both confirms the internal name is squattable and leaks identifying information about the installer's environment to the attacker's collaborator. No installer opt-in, no legitimate use case for the collected data going to an OAST endpoint.

Technical details

Affected versions

=2200.4.2

Indicators

  • affected version=2200.4.275%

Timeline

  1. Advisory published
  2. Indexed by ThreatPkg

Related incidents