registry  /  compliancepolicyserv  /  9.9.11

compliancepolicyserv@9.9.11

OSV Malicious Advisory

scanned 5h ago · by OpenSSF/OSV

OpenSSF/OSV advisory MAL-2026-10458 confirms this npm version as malicious. compliancepolicyserv@9.9.11 registers index.js as both scripts.install and main. On npm install and on require, index.js loads lib/core.js, which reads os.userInfo().username, os.hostname(), and process.cwd(), concatenates them with a 'paypal' prefix, a timestamp, and the domain oob.sl4x0.xyz, and issues a dns.resolve4 query against the resulting subdomain, beaconing installer identifiers over DNS to an...

Advisory
MAL-2026-10458
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in compliancepolicyserv (npm)
Details
compliancepolicyserv@9.9.11 registers index.js as both scripts.install and main. On npm install and on require, index.js loads lib/core.js, which reads os.userInfo().username, os.hostname(), and process.cwd(), concatenates them with a 'paypal' prefix, a timestamp, and the domain oob.sl4x0.xyz, and issues a dns.resolve4 query against the resulting subdomain, beaconing installer identifiers over DNS to an author-controlled domain. The destination host and the names of the os/dns/process APIs and their methods (userInfo, hostname, cwd, resolve4) are reconstructed at runtime from char-code arrays in lib/b02e30.js and lib/6ad264.js, hiding the exfil endpoint and sensitive API references from static inspection. The package name resembles a compliance-policy service but the shipped code performs no such function; the sole install/import-time effect is the DNS beacon.
Decision reason
OpenSSF Malicious Packages via OSV confirms compliancepolicyserv@9.9.11 as malicious (MAL-2026-10458): Malicious code in compliancepolicyserv (npm)

Source & flagged code

0 flagged
No flagged code excerpts are attached to this scan.

Findings

1 High
HighOsv Malicious Advisory