Supply-chain threat intelligence

Incident detail

criticalnpm·maintainer compromise·osv

Malicious code in opt-archetype-check (npm)

opt-archetype-check

Risk score

92

AI summary

Indexed incident for opt-archetype-check (npm).

Description

On npm install, the package's postinstall hook executes node index.js, which collects the installer's public IP (via api.ipify.org), hostname, username, platform, current working directory, process id, and Windows domain environment variables (COMPUTERNAME, USERDOMAIN, LOGONSERVER, USERDNSDOMAIN, USERNAME), and POSTs the JSON payload to the hardcoded attacker endpoint http://109.71.252.153:8080/callback over plain HTTP. index.js line 24 hardcodes the callback host (const CALLBACK_HOST = "109.71.252.153";) and line 73 issues the POST to /callback. The file's own header self-identifies as a 'PoC Callback Script — npm Package Takeover'. The package's description ('walmart Application and Middleware Server') and name shape are consistent with dependency-confusion impersonation of internal Walmart tooling — any environment that mistakenly resolves this public package will execute the beacon and leak infrastructure fingerprints to the attacker, providing reconnaissance for follow-on intrusion against the targeted internal namespace.

Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

Technical details

Affected versions

=9.9.1=9.99.4=9.9.0>=0

Indicators

  • Advisory IDs
    90%
  • affected version=9.9.175%
  • affected version=9.99.475%
  • affected version=9.9.075%
  • affected version>=075%

Timeline

  1. Advisory published
  2. Indexed by ThreatPkg

Related incidents