OSV Malicious Advisory
scanned 2h ago · by OpenSSF/OSVOpenSSF/OSV advisory MAL-2026-6990 confirms this npm version as malicious. ai-gen-ai-opt-in@99.0.0 declares a postinstall hook (postinstall.js) that runs automatically on npm install. The script collects the installer's hostname (os.hostname()), OS username (os.userInfo().username), and public IP/geo/ISP data (fetched from ip-api.com over HTTPS), then encodes those values and issues a DNS lookup for a subdomain of an attacker-controlled Burp Collaborator-style callback host...
Advisory
MAL-2026-6990
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in ai-gen-ai-opt-in (npm)
Details
ai-gen-ai-opt-in@99.0.0 declares a postinstall hook (postinstall.js) that runs automatically on npm install. The script collects the installer's hostname (os.hostname()), OS username (os.userInfo().username), and public IP/geo/ISP data (fetched from ip-api.com over HTTPS), then encodes those values and issues a DNS lookup for a subdomain of an attacker-controlled Burp Collaborator-style callback host (p1r2d74iwjk057raam6myf7e258wzkt8i.oastify.com). This is a covert out-of-band DNS exfiltration channel that leaks installer identity and location data to a third party on every install, with no legitimate documented purpose.
Decision reason
OpenSSF Malicious Packages via OSV confirms ai-gen-ai-opt-in@99.0.0 as malicious (MAL-2026-6990): Malicious code in ai-gen-ai-opt-in (npm)
References
Source & flagged code
0 flaggedNo flagged code excerpts are attached to this scan.
Findings
1 High
HighOsv Malicious Advisory