Supply-chain threat intelligence

Incident detail

criticalnpm·credential theft·osv

Malicious code in fkext-browser-min (npm)

fkext-browser-min

Risk score

92

AI summary

Indexed incident for fkext-browser-min (npm).

Description

The package runs vishu.js as a preinstall lifecycle hook on npm install. That script fetches the machine's public IP from api.ipify.org, collects os.hostname() and GitHub Actions / CI environment variables (GITHUB_*), and transmits them as query parameters to a hardcoded webhook.site collector URL over HTTPS. It additionally performs a DNS lookup of a subdomain of the form ping-<hostname>.<collaborator>.oastify.com, providing an out-of-band exfiltration channel (Burp Collaborator style) that bypasses HTTP egress filters. There is no legitimate functionality shipped alongside this — the package's only install-time effect is host reconnaissance and beacon-out to attacker-controlled sinks. This is a dependency-confusion / bug-bounty-style beacon against installer/CI environments.

Technical details

Affected versions

=1.0.14

Indicators

  • affected version=1.0.1475%

Timeline

  1. Advisory published
  2. Indexed by ThreatPkg

Related incidents