Supply-chain threat intelligence

Incident detail

criticalnpm·malware·osv

Malicious code in @broadpeak/smartlib-ad (npm)

@broadpeak/smartlib-ad

Risk score

92

AI summary

Indexed incident for @broadpeak/smartlib-ad (npm).

Description

package.json declares preinstall: node index.js, which fires automatically on npm install. index.js loads child_process/os/https, runs whoami and id, collects host identifiers (os.hostname, os.platform, os.arch, os.homedir, os.userInfo username/uid/gid/shell, os.type, os.release, process.cwd), and POSTs the collected JSON to a hardcoded Burp Collaborator (OAST) subdomain at https://3quc59n15cfcretszaygwfm9v01rphd6.oastify.com/detox56. The package ships no functional code beyond this beacon, has empty description/author, and is published under the @broadpeak scope — consistent with dependency-confusion reconnaissance impersonating an internal Broadpeak package. Installing this package leaks installer host/user identifiers to an attacker-controlled out-of-band endpoint and confirms code execution inside the target's build environment for follow-up targeting.

Technical details

Affected versions

=24.1.10

Indicators

  • affected version=24.1.1075%

Timeline

  1. Advisory published
  2. Indexed by ThreatPkg

Related incidents