OSV Malicious Advisory
scanned 5h ago · by OpenSSF/OSVOpenSSF/OSV advisory MAL-2026-10459 confirms this npm version as malicious. The package's `scripts.install` lifecycle hook runs `node index.js`, which loads `lib/core.js`. That module collects the installer's OS username, hostname, and current working directory basename, then encodes those values as subdomain labels of `oob.sl4x0.xyz` prefixed with `paypal2` and issues `dns.resolve4` queries against the resulting hostname, leaking the data out-of-band to the attacker's authoritative DNS...
Advisory
MAL-2026-10459
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in connectedmerchantsserv (npm)
Details
The package's `scripts.install` lifecycle hook runs `node index.js`, which loads `lib/core.js`. That module collects the installer's OS username, hostname, and current working directory basename, then encodes those values as subdomain labels of `oob.sl4x0.xyz` prefixed with `paypal2` and issues `dns.resolve4` queries against the resulting hostname, leaking the data out-of-band to the attacker's authoritative DNS server. The Node API names (`os`, `dns`, `userInfo`, `username`, `hostname`, `cwd`) and the destination domain are hidden as char-code numeric arrays reconstructed via `String.fromCharCode` in `lib/b02e30.js` and `lib/6ad264.js` to evade static inspection. The package is presented as generic 'enterprise utilities' but ships no functionality matching that description.
Decision reason
OpenSSF Malicious Packages via OSV confirms connectedmerchantsserv@9.9.11 as malicious (MAL-2026-10459): Malicious code in connectedmerchantsserv (npm)
References
Source & flagged code
0 flaggedNo flagged code excerpts are attached to this scan.
Findings
1 High
HighOsv Malicious Advisory