registry  /  @businessapp-microsites/apis  /  9999.0.1

@businessapp-microsites/apis@9999.0.1

Security research placeholder. Dependency confusion PoC for Bugcrowd submission 37cf8443 (trustpilot-mbb-og). Contact: mdpsec. No malicious code. Will be removed or transferred to Trustpilot on request.

OSV Malicious Advisory

scanned 3m ago · by OpenSSF/OSV

OpenSSF/OSV advisory MAL-2026-6696 confirms this npm version as malicious. Package squats the @businessapp-microsites npm scope and is published at version 9999.0.0 to outrank any internal version during dependency resolution. The package.json declares a postinstall script that runs `node -e` to issue an HTTPS GET to poc-trustpilot-npm-1782770591.testingboxes.com with a unique per-package token in the URL path...

Advisory
MAL-2026-6696
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in @businessapp-microsites/apis (npm)
Details
Package squats the @businessapp-microsites npm scope and is published at version 9999.0.0 to outrank any internal version during dependency resolution. The package.json declares a postinstall script that runs `node -e` to issue an HTTPS GET to poc-trustpilot-npm-1782770591.testingboxes.com with a unique per-package token in the URL path. On any `npm install` that resolves this scope from the public registry, the installer's machine performs an outbound callback that confirms execution and discloses the installer's source IP and the fact-of-install to a third-party host. The combination of an unregistered-scope squat, the 9999.0.0 version pin, and an install-time beacon to an external host is the canonical dependency-confusion attack pattern; researcher framing in the package metadata does not change the runtime behavior on any machine that installs it.
Decision reason
OpenSSF Malicious Packages via OSV confirms @businessapp-microsites/apis@9999.0.1 as malicious (MAL-2026-6696): Malicious code in @businessapp-microsites/apis (npm)

Source & flagged code

0 flagged
No flagged code excerpts are attached to this scan.

Findings

1 High
HighOsv Malicious Advisory