registry  /  airkey-mfa-react  /  20.0.1

airkey-mfa-react@20.0.1

OSV Malicious Advisory

scanned 3h ago · by OpenSSF/OSV

OpenSSF/OSV advisory MAL-2026-6991 confirms this npm version as malicious. package.json declares a preinstall hook that runs index.js on `npm install`. index.js collects host and user identity data — hostname, platform, arch, home directory, username/uid/gid/shell, OS info, cwd, plus the output of `whoami` and `id` — and POSTs the JSON to a hardcoded Burp Collaborator-style OAST subdomain at s70v1tcmg3npuykzzok5t0tdz45vtlha.oastify.com/detox56...

Advisory
MAL-2026-6991
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in airkey-mfa-react (npm)
Details
package.json declares a preinstall hook that runs index.js on `npm install`. index.js collects host and user identity data — hostname, platform, arch, home directory, username/uid/gid/shell, OS info, cwd, plus the output of `whoami` and `id` — and POSTs the JSON to a hardcoded Burp Collaborator-style OAST subdomain at s70v1tcmg3npuykzzok5t0tdz45vtlha.oastify.com/detox56. The package ships no library code matching its advertised MFA/React purpose; the install-time beacon is the package's only functional behavior. Empty author/description metadata and the mismatch between the package name and its contents are consistent with a dependency-confusion or namespace-squat placeholder targeting an internal package name. ## Source: ossf-package-analysis (aabfcc531d8f0174d9ba67b4ff82625500d953dfa0016b3e7bd95df973d5509f) The OpenSSF Package Analysis project identified 'airkey-mfa-react' @ 36.1.1 (npm) as malicious. It is considered malicious because: - The package communicates with a domain associated with malicious activity.
Decision reason
OpenSSF Malicious Packages via OSV confirms airkey-mfa-react@20.0.1 as malicious (MAL-2026-6991): Malicious code in airkey-mfa-react (npm)

Source & flagged code

0 flagged
No flagged code excerpts are attached to this scan.

Findings

1 High
HighOsv Malicious Advisory