registry  /  @leviosa86com/leviosa86-test  /  6.2.1

@leviosa86com/leviosa86-test@6.2.1

OSV Malicious Advisory

scanned 2h ago · by OpenSSF/OSV

OpenSSF/OSV advisory MAL-2026-10625 confirms this npm version as malicious. Package @leviosa86com/leviosa86-test@5.999.0 ships src/poc/index.js which shells out via child_process.exec to collect host identifiers (hostname, pwd, whoami) and the installer's public IP (curl https://ifconfig.me), then concatenates the collected data into a subdomain label and triggers a DNS lookup (nslookup) against a unique subdomain of oast.site (a d9bd62bu6g119svvav70o3p9tymtrxkoj.oast.site Interactsh...

Advisory
MAL-2026-10625
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in @leviosa86com/leviosa86-test (npm)
Details
Package @leviosa86com/leviosa86-test@5.999.0 ships src/poc/index.js which shells out via child_process.exec to collect host identifiers (hostname, pwd, whoami) and the installer's public IP (curl https://ifconfig.me), then concatenates the collected data into a subdomain label and triggers a DNS lookup (nslookup) against a unique subdomain of oast.site (a d9bd62bu6g119svvav70o3p9tymtrxkoj.oast.site Interactsh out-of-band interaction server), exfiltrating host recon over DNS to an attacker-controlled OAST endpoint. package.json declares `preinstall: node index.js`; a root index.js is not present in the tarball, so the default install may no-op, but the shipped src/poc/index.js payload is unambiguous exfiltration recon and the package name/version shape (`@leviosa86com/leviosa86-test@5.999.0`, a very high version) matches a namespace-squat / dependency-confusion attempt targeting a private @leviosa86com scope.
Decision reason
OpenSSF Malicious Packages via OSV confirms @leviosa86com/leviosa86-test@6.2.1 as malicious (MAL-2026-10625): Malicious code in @leviosa86com/leviosa86-test (npm)

Source & flagged code

0 flagged
No flagged code excerpts are attached to this scan.

Findings

1 High
HighOsv Malicious Advisory