Supply-chain threat intelligence

Incident detail

criticalnpm·malware·osv

Malicious code in giantswarm (npm)

giantswarm

Risk score

92

AI summary

Indexed incident for giantswarm (npm).

Description

The package declares a preinstall hook (node index.js) that runs automatically on npm install. index.js collects host reconnaissance — hostname, platform, arch, home directory, username/uid/gid/shell, whoami, id, and cwd — and POSTs the collected data as JSON to a hardcoded Burp Collaborator subdomain at https://w305i20ui5s5476lc3b998z28tek2bq0.oastify.com/detox56. The package ships with empty description, author, and license fields and no functional code beyond the beacon. The unscoped name giantswarm impersonates the Giant Swarm vendor namespace, consistent with a dependency-confusion attack targeting private @giantswarm/* scopes.

Technical details

Affected versions

=22.0.1

Indicators

  • affected version=22.0.175%

Timeline

  1. Advisory published
  2. Indexed by ThreatPkg

Related incidents