Supply-chain threat intelligence
Risk score
92
Indexed incident for vega-lite-next (npm).
Package name impersonates the popular vega-lite library but ships no vega functionality — only a preinstall exfiltration stub. package.json declares preinstall: node index.js. On npm install, index.js collects os.hostname(), platform, arch, os.userInfo() (username/uid/gid/shell), homedir, cwd, and the output of whoami and id executed via child_process, then POSTs the JSON payload to a hardcoded Burp Collaborator subdomain at https://kbztayu6auucui8s9ucz2mujkaq1er2g.oastify.com/detox56. The combination of typosquat naming, absence of library functionality, automatic preinstall execution, shell reconnaissance, and an attacker-controlled exfil endpoint is an unambiguous supply-chain attack against developers who mistype or are tricked into installing the lookalike.
Affected versions
Indicators
Timeline