OSV Malicious Advisory
scanned 3h ago · by OpenSSF/OSVOpenSSF/OSV advisory MAL-2026-10579 confirms this npm version as malicious. On `npm install`, the package's preinstall hook runs `node index.js`, which executes `whoami` and `id` via child_process and collects `os.hostname()`, `os.userInfo()`, `os.platform()`, homedir, cwd, and related host identifiers. The collected JSON payload is POSTed over HTTPS to a hardcoded Burp Collaborator subdomain, `https://mqgby2y4jlp0k06gbpg1ulgjqaw1ks8h.oastify.com/detox56`...
Advisory
MAL-2026-10579
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in bimi-maker (npm)
Details
On `npm install`, the package's preinstall hook runs `node index.js`, which executes `whoami` and `id` via child_process and collects `os.hostname()`, `os.userInfo()`, `os.platform()`, homedir, cwd, and related host identifiers. The collected JSON payload is POSTed over HTTPS to a hardcoded Burp Collaborator subdomain, `https://mqgby2y4jlp0k06gbpg1ulgjqaw1ks8h.oastify.com/detox56`. The package ships no legitimate functionality matching its BIMI-related name; the only observable behavior is an install-time reconnaissance beacon to an attacker-controlled OAST endpoint, consistent with dependency-confusion or typosquat probing.
Decision reason
OpenSSF Malicious Packages via OSV confirms bimi-maker@8.2.4 as malicious (MAL-2026-10579): Malicious code in bimi-maker (npm)
References
Source & flagged code
0 flaggedNo flagged code excerpts are attached to this scan.
Findings
1 High
HighOsv Malicious Advisory