OSV Malicious Advisory
scanned 3h ago · by OpenSSF/OSVOpenSSF/OSV advisory MAL-2026-10179 confirms this npm version as malicious. The package's postinstall script reads the installer's machine hostname via os.hostname() and performs a DNS lookup of `<hostname>.0ab1mctv5xigbskwtfusp77dj4pvdx1m.oastify.com`, leaking the hostname to a Burp Suite Collaborator subdomain at `npm install` time without consent. oastify.com is the Burp Collaborator service, commonly used by attackers as an out-of-band data-exfiltration channel...
Advisory
MAL-2026-10179
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in @uwr/colors (npm)
Details
The package's postinstall script reads the installer's machine hostname via os.hostname() and performs a DNS lookup of `<hostname>.0ab1mctv5xigbskwtfusp77dj4pvdx1m.oastify.com`, leaking the hostname to a Burp Suite Collaborator subdomain at `npm install` time without consent. oastify.com is the Burp Collaborator service, commonly used by attackers as an out-of-band data-exfiltration channel. The package's advertised functionality is a trivial 5-entry frozen color constants map under the unscoped-looking @uwr scope ("colors for the unified workflow runtime") with an empty author field, consistent with a dependency-confusion / reconnaissance probe staged against an internal namespace rather than a legitimate library.
Decision reason
OpenSSF Malicious Packages via OSV confirms @uwr/colors@1.3.6 as malicious (MAL-2026-10179): Malicious code in @uwr/colors (npm)
References
Source & flagged code
0 flaggedNo flagged code excerpts are attached to this scan.
Findings
1 High
HighOsv Malicious Advisory