Supply-chain threat intelligence

Incident detail

criticalnpm·malware·osv

Malicious code in triage-bot (npm)

triage-bot

Risk score

92

AI summary

Indexed incident for triage-bot (npm).

Description

package.json declares preinstall: node index.js, so the payload runs automatically on npm install with no user action. index.js requires os, fs, and https, then collects hostname, username, home directory, DNS servers, current working directory, and package metadata, and reads the contents of /etc/passwd and /etc/hosts (index.js:18-19). The aggregated JSON is HTTPS POSTed to t3x60c96rz2gi7qxftonjplmmdsbg14q.oastify.com, a Burp Collaborator out-of-band-interaction subdomain controlled by the publisher. Package metadata is empty (author '', description '', ISC license) and the package ships no functional code — it exists solely as an install-time beacon, consistent with a dependency-confusion / pen-test harvest payload.

Technical details

Affected versions

=1.0.1=1.0.2

Indicators

  • affected version=1.0.175%
  • affected version=1.0.275%

Timeline

  1. Advisory published
  2. Indexed by ThreatPkg

Related incidents