Supply-chain threat intelligence

Incident detail

criticalnpm·malware·osv

Malicious code in bugexploit (npm)

bugexploit

Risk score

92

AI summary

Indexed incident for bugexploit (npm).

Description

package.json declares a postinstall script that runs node index.js. On npm install, index.js collects the installer's username (os.userInfo()), hostname (os.hostname()), and current working directory (process.cwd()), then POSTs them as JSON via https.request to the hardcoded endpoint https://webhook.site/cd23dfb8-a0fc-4ff7-818c-f7812fcb4bec. The transmission is unconditional and fires automatically on default install. The destination is a generic webhook-capture service unrelated to any declared package purpose, and the collected fields are host identifiers useful for victim triage / beacon confirmation.

Technical details

Affected versions

=99.9.9

Indicators

  • affected version=99.9.975%

Timeline

  1. Advisory published
  2. Indexed by ThreatPkg

Related incidents