Supply-chain threat intelligence

Incident detail

criticalnpm·credential theft·osv

Malicious code in vuln-package (npm)

vuln-package

Risk score

92

AI summary

Indexed incident for vuln-package (npm).

Description

On npm install, the package's preinstall script triggers a DNS lookup to a unique subdomain of oast.fun (fabekzbnjtufpffkzzmvjvi5eafhny3ok.oast.fun), an out-of-band interaction service, confirming code execution on the installer's machine to a third-party collector. A sibling file indexCopy.js collects host identifiers (os.userInfo().username, os.hostname(), process.cwd(), and process.env references) and issues an https.request POST to a hardcoded webhook.site endpoint (https://webhook.site/cde465c1-3853-40ea-880c-fdca6fe508cc). The combination of an OOB DNS beacon at install time and a staged HTTPS exfiltration payload targeting installer host identifiers is characteristic of a supply-chain reconnaissance/exfiltration attack rather than any legitimate package behavior.

Technical details

Affected versions

=99.9.11=99.9.14=99.9.9=99.9.10

Indicators

  • affected version=99.9.1175%
  • affected version=99.9.1475%
  • affected version=99.9.975%
  • affected version=99.9.1075%

Timeline

  1. Advisory published
  2. Indexed by ThreatPkg

Related incidents