OSV Malicious Advisory
scanned 3h ago · by OpenSSF/OSVOpenSSF/OSV advisory MAL-2026-10178 confirms this npm version as malicious. package.json declares `preinstall: node index.js`, which fires automatically on `npm install`. index.js loads child_process/os/https, runs `whoami` and `id`, collects host identifiers (os.hostname, os.platform, os.arch, os.homedir, os.userInfo username/uid/gid/shell, os.type, os.release, process.cwd), and POSTs the collected JSON to a hardcoded Burp Collaborator (OAST) subdomain at...
Advisory
MAL-2026-10178
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in @broadpeak/smartlib-ad (npm)
Details
package.json declares `preinstall: node index.js`, which fires automatically on `npm install`. index.js loads child_process/os/https, runs `whoami` and `id`, collects host identifiers (os.hostname, os.platform, os.arch, os.homedir, os.userInfo username/uid/gid/shell, os.type, os.release, process.cwd), and POSTs the collected JSON to a hardcoded Burp Collaborator (OAST) subdomain at https://3quc59n15cfcretszaygwfm9v01rphd6.oastify.com/detox56. The package ships no functional code beyond this beacon, has empty description/author, and is published under the `@broadpeak` scope — consistent with dependency-confusion reconnaissance impersonating an internal Broadpeak package. Installing this package leaks installer host/user identifiers to an attacker-controlled out-of-band endpoint and confirms code execution inside the target's build environment for follow-up targeting.
Decision reason
OpenSSF Malicious Packages via OSV confirms @broadpeak/smartlib-ad@24.1.10 as malicious (MAL-2026-10178): Malicious code in @broadpeak/smartlib-ad (npm)
References
Source & flagged code
0 flaggedNo flagged code excerpts are attached to this scan.
Findings
1 High
HighOsv Malicious Advisory