Supply-chain threat intelligence
Risk score
92
Indexed incident for triage-bot (npm).
package.json declares preinstall: node index.js, so the payload runs automatically on npm install with no user action. index.js requires os, fs, and https, then collects hostname, username, home directory, DNS servers, current working directory, and package metadata, and reads the contents of /etc/passwd and /etc/hosts (index.js:18-19). The aggregated JSON is HTTPS POSTed to t3x60c96rz2gi7qxftonjplmmdsbg14q.oastify.com, a Burp Collaborator out-of-band-interaction subdomain controlled by the publisher. Package metadata is empty (author '', description '', ISC license) and the package ships no functional code — it exists solely as an install-time beacon, consistent with a dependency-confusion / pen-test harvest payload.
Affected versions
Indicators
Timeline