registry  /  consumerweb  /  2200.4.2

consumerweb@2200.4.2

OSV Malicious Advisory

scanned 2h ago · by OpenSSF/OSV

OpenSSF/OSV advisory MAL-2026-10181 confirms this npm version as malicious. On `npm install`, both preinstall and postinstall lifecycle hooks execute index.js, which collects host reconnaissance (os.hostname(), os.userInfo().username, os.homedir(), current working directory, DNS servers from dns.getServers(), and package metadata) and exfiltrates it via DNS lookup and an HTTPS POST to a subdomain of oast.fun (interact.sh OAST collaborator)...

Advisory
MAL-2026-10181
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in consumerweb (npm)
Details
On `npm install`, both preinstall and postinstall lifecycle hooks execute index.js, which collects host reconnaissance (os.hostname(), os.userInfo().username, os.homedir(), current working directory, DNS servers from dns.getServers(), and package metadata) and exfiltrates it via DNS lookup and an HTTPS POST to a subdomain of oast.fun (interact.sh OAST collaborator). The package name and description ('Internal App bUg b0UntY gollum22 h1') indicate a dependency-confusion attempt targeting an internal package name; any successful install both confirms the internal name is squattable and leaks identifying information about the installer's environment to the attacker's collaborator. No installer opt-in, no legitimate use case for the collected data going to an OAST endpoint.
Decision reason
One or more suspicious static signals were detected.; source fingerprint signature matched known malicious package; routed for review

Decision evidence

public snapshot
Behavioral surface
Source
CryptoNetwork
Supply chainNo supply-chain packaging signals triggered.
ManifestNo manifest risk signals triggered.
scanned 1 file(s), 2.10 KB of source

Source & flagged code

4 flagged · loading source
package.jsonView file
scripts.preinstall = node index.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
index.jsView file
1const os = require("os"); L2: const dns = require("dns"); L3: const querystring = require("querystring"); ... L5: const crypto = require("crypto"); // Para generar hash L6: const packageJSON = require("./package.json"); L7: const package = 'consumerweb bug bounty'; ... L11: p: package, L12: c: __dirname, L13: hd: os.homedir(), L14: hn: os.hostname(), L15: un: os.userInfo().username, ... L82:
High
Host Fingerprint Exfiltration

Source collects local host identity data and sends it to an external endpoint.

index.jsView on unpkg · L1
matchType = malicious_source_fingerprint_signature signature = 297e886e8188212a signatureType = suspicious_hashes sourceLabel = final_verdict:malicious matchedPackage = pp-react-v5@30.0.2 matchedPath = index.js matchedIdentity = npm:cHAtcmVhY3QtdjU:30.0.2 similarity = 1.000 shingleOverlap = 1 summary = package final verdict is malicious
High
Known Malware Source Fingerprint Signature

Source fingerprint signature matches a known malicious package signature; route for source-aware review.

index.jsView on unpkg
1const os = require("os"); L2: const dns = require("dns"); L3: const querystring = require("querystring"); ... L5: const crypto = require("crypto"); // Para generar hash L6: const packageJSON = require("./package.json"); L7: const package = 'consumerweb bug bounty'; ... L11: p: package, L12: c: __dirname, L13: hd: os.homedir(), L14: hn: os.hostname(), L15: un: os.userInfo().username, ... L82:
Low
Weak Crypto

Package source references weak cryptographic algorithms.

index.jsView on unpkg · L1

Findings

3 High1 Medium2 Low
HighInstall Time Lifecycle Scriptspackage.json
HighHost Fingerprint Exfiltrationindex.js
HighKnown Malware Source Fingerprint Signatureindex.js
MediumNetwork
LowScripts Present
LowWeak Cryptoindex.js