Supply-chain threat intelligence

Incident detail

criticalnpm·credential theft·osv

Malicious code in @uwr/colors (npm)

@uwr/colors

Risk score

92

AI summary

Indexed incident for @uwr/colors (npm).

Description

The package's postinstall script reads the installer's machine hostname via os.hostname() and performs a DNS lookup of <hostname>.0ab1mctv5xigbskwtfusp77dj4pvdx1m.oastify.com, leaking the hostname to a Burp Suite Collaborator subdomain at npm install time without consent. oastify.com is the Burp Collaborator service, commonly used by attackers as an out-of-band data-exfiltration channel. The package's advertised functionality is a trivial 5-entry frozen color constants map under the unscoped-looking @uwr scope ("colors for the unified workflow runtime") with an empty author field, consistent with a dependency-confusion / reconnaissance probe staged against an internal namespace rather than a legitimate library.

Technical details

Affected versions

=1.3.6

Indicators

  • affected version=1.3.675%

Timeline

  1. Advisory published
  2. Indexed by ThreatPkg

Related incidents