OSV Malicious Advisory
scanned 5m ago · by OpenSSF/OSVOpenSSF/OSV advisory MAL-2026-6696 confirms this npm version as malicious. Package squats the @businessapp-microsites npm scope and is published at version 9999.0.0 to outrank any internal version during dependency resolution. The package.json declares a postinstall script that runs `node -e` to issue an HTTPS GET to poc-trustpilot-npm-1782770591.testingboxes.com with a unique per-package token in the URL path...
Advisory
MAL-2026-6696
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in @businessapp-microsites/apis (npm)
Details
Package squats the @businessapp-microsites npm scope and is published at version 9999.0.0 to outrank any internal version during dependency resolution. The package.json declares a postinstall script that runs `node -e` to issue an HTTPS GET to poc-trustpilot-npm-1782770591.testingboxes.com with a unique per-package token in the URL path. On any `npm install` that resolves this scope from the public registry, the installer's machine performs an outbound callback that confirms execution and discloses the installer's source IP and the fact-of-install to a third-party host. The combination of an unregistered-scope squat, the 9999.0.0 version pin, and an install-time beacon to an external host is the canonical dependency-confusion attack pattern; researcher framing in the package metadata does not change the runtime behavior on any machine that installs it.
Decision reason
OpenSSF Malicious Packages via OSV confirms @businessapp-microsites/apis@9999.0.0 as malicious (MAL-2026-6696): Malicious code in @businessapp-microsites/apis (npm)
References
Source & flagged code
0 flaggedNo flagged code excerpts are attached to this scan.
Findings
1 High
HighOsv Malicious Advisory