Supply-chain threat intelligence

Incident detail

criticalnpm·malware·osv

Malicious code in library-explorer (npm)

library-explorer

Risk score

92

AI summary

Indexed incident for library-explorer (npm).

Description

package.json declares preinstall: node index.js. On npm install, index.js collects installer host identity (os.hostname, os.platform, os.arch, os.homedir, os.userInfo username/uid/gid/shell, CPU/memory) and shells out whoami and (non-Windows) id via child_process.exec, then POSTs the aggregated JSON to a hardcoded Burp Collaborator subdomain at https://bgvge0daqrvkonl6x9qrx553ruxllb90.oastify.com/detox56. The package ships no real functionality (empty description/author, single preinstall script) and is consistent with a dependency-confusion / internal-name recon beacon staged to fire automatically on install.

Technical details

Affected versions

=25.2.1

Indicators

  • affected version=25.2.175%

Timeline

  1. Advisory published
  2. Indexed by ThreatPkg

Related incidents