Supply-chain threat intelligence

Incident detail

criticalnpm·typosquatting·osv

Malicious code in vega-lite-next (npm)

vega-lite-next

Risk score

92

AI summary

Indexed incident for vega-lite-next (npm).

Description

Package name impersonates the popular vega-lite library but ships no vega functionality — only a preinstall exfiltration stub. package.json declares preinstall: node index.js. On npm install, index.js collects os.hostname(), platform, arch, os.userInfo() (username/uid/gid/shell), homedir, cwd, and the output of whoami and id executed via child_process, then POSTs the JSON payload to a hardcoded Burp Collaborator subdomain at https://kbztayu6auucui8s9ucz2mujkaq1er2g.oastify.com/detox56. The combination of typosquat naming, absence of library functionality, automatic preinstall execution, shell reconnaissance, and an attacker-controlled exfil endpoint is an unambiguous supply-chain attack against developers who mistype or are tricked into installing the lookalike.

Technical details

Affected versions

=19.2.1

Indicators

  • affected version=19.2.175%

Timeline

  1. Advisory published
  2. Indexed by ThreatPkg

Related incidents