OSV Malicious Advisory
scanned 2h ago · by OpenSSF/OSVOpenSSF/OSV advisory MAL-2026-10200 confirms this npm version as malicious. The package declares `preinstall: node index.js`, which runs automatically on `npm install`. index.js collects installer identifiers (os.hostname(), os.platform(), os.arch(), os.userInfo() username/uid/gid/shell, home directory, cwd) and executes `whoami` and `id` via child_process.exec, capturing their output...
Advisory
MAL-2026-10200
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in api-changelly (npm)
Details
The package declares `preinstall: node index.js`, which runs automatically on `npm install`. index.js collects installer identifiers (os.hostname(), os.platform(), os.arch(), os.userInfo() username/uid/gid/shell, home directory, cwd) and executes `whoami` and `id` via child_process.exec, capturing their output. The combined JSON payload is POSTed to a hardcoded Burp Collaborator subdomain `https://1439tg4d02vixhxuj0gadpml4ca3ytmi.oastify.com/detox56`. The package name `api-changelly` impersonates the Changelly crypto-exchange brand and ships no legitimate functionality — the only behavior is the install-time beacon. This is the canonical dependency-confusion / reconnaissance-beacon shape targeting internal build systems that may resolve a private `changelly`-family dependency to this public package.
Decision reason
One or more suspicious static signals were detected.
References
Decision evidence
public snapshotBehavioral surface
ChildProcessNetwork
HighEntropyStringsUrlStrings
Source & flagged code
2 flagged · loading sourcepackage.jsonView file
•scripts.preinstall = node index.js
High
Install Time Lifecycle Scripts
Package defines install-time lifecycle scripts.
package.jsonView on unpkgindex.jsView file
1const { exec } = require('child_process');
L2: const os = require('os');
L3: const https = require('https');
L4: const http = require('http');
...
L12: return new Promise((resolve, reject) => {
L13: exec(command, (error, stdout, stderr) => {
L14: if (error) {
...
L30: pwd: '',
L31: hostname: os.hostname(),
L32: platform: os.platform(),
...
L98: if (res.statusCode >= 200 && res.statusCode < 300) {
L99: resolve({ statusCode: res.statusCode, body: responseData });
High
Sandbox Evasion Gated Capability
Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.
index.jsView on unpkg · L1Findings
2 High2 Medium3 Low
HighInstall Time Lifecycle Scriptspackage.json
HighSandbox Evasion Gated Capabilityindex.js
MediumNetwork
MediumStructural Risk Force Deep Review
LowScripts Present
LowHigh Entropy Strings
LowUrl Strings