registry  /  amdocs-auth-package  /  115.2.1

amdocs-auth-package@115.2.1

OSV Malicious Advisory

scanned 14h ago · by OpenSSF/OSV

OpenSSF/OSV advisory MAL-2025-6694 confirms this npm version as malicious. The package communicates with a domain associated with malicious activity.

Advisory
MAL-2025-6694
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in amdocs-auth-package (npm)
Details
The package communicates with a domain associated with malicious activity. --- ## Source: amazon-inspector (5d16664451db45f3a8b8da108a2b38785d0a7471480df169c57b38bccde640f7) Package name mimics an Amdocs internal package (dependency-confusion lure). package.json declares `preinstall: node index.js`, so `npm install` auto-executes index.js. index.js collects host reconnaissance via Node's os module and child_process (hostname, platform, arch, homedir, username/uid/gid/shell, OS info, plus output of `whoami`, `id`, and `pwd`) and POSTs the JSON payload to a hardcoded Burp Collaborator subdomain at https://bet2pv7fumnp3hnz9u5oxggb329txjl8.oastify.com/detox56. No legitimate functionality is present; the sole install-time effect is reconnaissance exfiltration to an attacker-controlled out-of-band callback host. ## Source: ossf-package-analysis (c756549e7fbf260738e6865ac35a33c132117c1e51d74abfe20fd5ab84cc5666) The OpenSSF Package Analysis project identified 'amdocs-auth-package' @ 99.1.0 (npm) as malicious. It is considered malicious because: - The package communicates with a domain associated with malicious activity. - The package executes one or more commands associated with malicious behavior.
Decision reason
OpenSSF Malicious Packages via OSV confirms amdocs-auth-package@115.2.1 as malicious (MAL-2025-6694): Malicious code in amdocs-auth-package (npm)

Source & flagged code

0 flagged
No flagged code excerpts are attached to this scan.

Findings

1 High
HighOsv Malicious Advisory