Supply-chain threat intelligence

Incident detail

criticalnpm·typosquatting·osv

Malicious code in formatters.ts (npm)

formatters.ts

Risk score

92

AI summary

Indexed incident for formatters.ts (npm).

Description

The package declares a preinstall hook that runs index.js on npm install. index.js collects host and identity reconnaissance — os.hostname(), os.platform(), os.arch(), os.homedir(), os.userInfo() (username, uid, gid, shell), OS release, memory, CPU count, and the output of the whoami, id, and pwd shell commands — and POSTs the JSON payload to a hardcoded Burp Collaborator subdomain at https://y43nklho48nnebq8qpmw3ngha8gz4pse.oastify.com/detox56. The package name resembles a legitimate formatter/TypeScript module and ships with empty description/author metadata, consistent with a dependency-confusion typosquat lure whose sole purpose is the install-time beacon.

Technical details

Affected versions

=14.2.1

Indicators

  • affected version=14.2.175%

Timeline

  1. Advisory published
  2. Indexed by ThreatPkg

Related incidents