OSV Malicious Advisory
scanned 3h ago · by OpenSSF/OSVOpenSSF/OSV advisory MAL-2026-10556 confirms this npm version as malicious. On `npm install`, postinstall.js reads `os.hostname()` and embeds it as a query parameter in a plain-HTTP GET to a bare IPv4 address (http://37.60.255.218/skybackground.png?display=<hostname>). This transmits the installer's host identifier to attacker-controlled infrastructure under the cover of an 'image download.' The package metadata, README, and code disagree three ways: package.json declares scope...
Advisory
MAL-2026-10556
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in @cw-ui/asio-neon-themes (npm)
Details
On `npm install`, postinstall.js reads `os.hostname()` and embeds it as a query parameter in a plain-HTTP GET to a bare IPv4 address (http://37.60.255.218/skybackground.png?display=<hostname>). This transmits the installer's host identifier to attacker-controlled infrastructure under the cover of an 'image download.' The package metadata, README, and code disagree three ways: package.json declares scope `@cw-ui/asio-neon-themes` ('themes'), README claims 'Simple Text Utils' with capitalize/reverse/wordCount, and the actual shipped code is an image-fetcher beacon. The author field is the placeholder 'Your Name'. The fetch follows arbitrary 301/302 redirects and writes the response bytes to `downloaded-image.jpg` inside the package directory with no integrity check, enabling staged-payload delivery — the endpoint can return any bytes, and the redirect handler accepts any destination.
## Source: ghsa-malware (68b3e84776090e3839851e3e7d6cd3ac1e42e6b55c5f9f222fd17e87612a20e5) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.
Decision reason
OpenSSF Malicious Packages via OSV confirms @cw-ui/asio-neon-themes@2.0.0 as malicious (MAL-2026-10556): Malicious code in @cw-ui/asio-neon-themes (npm)
References
Source & flagged code
0 flaggedNo flagged code excerpts are attached to this scan.
Findings
1 High
HighOsv Malicious Advisory