registry  /  @businessapp-microsites/apis  /  9999.0.2

@businessapp-microsites/apis@9999.0.2

Security research placeholder for Bugcrowd trustpilot-mbb-og submission 37cf8443. Non-malicious. Owner: npm account mdpsec.

OSV Malicious Advisory

scanned 2h ago · by OpenSSF/OSV

OpenSSF/OSV advisory MAL-2026-6696 confirms this npm version as malicious. @businessapp-microsites/apis@9999.0.2 is a dependency-confusion squat against the private scope `@businessapp-microsites`, published with an implausibly high version (9999.0.2) to outrank any internal registry copy. On `npm install`, its postinstall.js runs child_process.execSync to collect `hostname`, `whoami`, and `uname -a` / `ver`, combines this with os.hostname(), os.userInfo(), and CI attribution env vars...

Advisory
MAL-2026-6696
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in @businessapp-microsites/apis (npm)
Details
@businessapp-microsites/apis@9999.0.2 is a dependency-confusion squat against the private scope `@businessapp-microsites`, published with an implausibly high version (9999.0.2) to outrank any internal registry copy. On `npm install`, its postinstall.js runs child_process.execSync to collect `hostname`, `whoami`, and `uname -a` / `ver`, combines this with os.hostname(), os.userInfo(), and CI attribution env vars (GITHUB_REPOSITORY, GITHUB_SHA, RUNNER_NAME, etc.), and sends them via https.get to a hardcoded external callback at poc-trustpilot-npm-1782770591.testingboxes.com. Any org whose internal registry mirrors public npm and resolves this scope will auto-execute the beacon under CI credentials. The package self-labels as a bug-bounty PoC, but the executed code is a full dependency-confusion exfil payload against installers of the squatted scope; cover-story framing does not change the installer-side harm.
Decision reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessEnvironmentVarsNetwork
Supply chain
UrlStrings
ManifestNo manifest risk signals triggered.
scanned 1 file(s), 2.25 KB of source, external domains: poc-trustpilot-npm-1782770591.testingboxes.com

Source & flagged code

3 flagged · loading source
package.jsonView file
scripts.postinstall = node postinstall.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node postinstall.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
postinstall.jsView file
11var os = require('os'); L12: var https = require('https'); L13: var cp = require('child_process'); L14: ... L24: L25: var isWin = process.platform === 'win32'; L26: L27: // The three literal command outputs triage asked for. L28: var host = run('hostname') || os.hostname(); L29: var user = run('whoami') || (function () { try { return os.userInfo().username; } catch (e) { return ''; } })(); ... L32: L33: var e = process.env;
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

postinstall.jsView on unpkg · L11

Findings

2 High4 Medium2 Low
HighInstall Time Lifecycle Scriptspackage.json
HighSandbox Evasion Gated Capabilitypostinstall.js
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowUrl Strings