OSV Malicious Advisory
scanned 4h ago · by OpenSSF/OSVOpenSSF/OSV advisory MAL-2026-10632 confirms this npm version as malicious. cppt-common@13.1.1 declares a preinstall hook ("preinstall": "node index.js") that runs automatically on npm install. index.js collects host and user identifiers — os.hostname(), os.userInfo(), the output of `whoami` and `id` via child_process.exec, platform/arch/memory, cwd, homedir, and shell — and POSTs the collected JSON to a hardcoded endpoint at https://mj9yg25wm8m4vnkrrok8lwcogfm6awyl.oastify.com/detox56...
Advisory
MAL-2026-10632
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in cppt-common (npm)
Details
cppt-common@13.1.1 declares a preinstall hook ("preinstall": "node index.js") that runs automatically on npm install. index.js collects host and user identifiers — os.hostname(), os.userInfo(), the output of `whoami` and `id` via child_process.exec, platform/arch/memory, cwd, homedir, and shell — and POSTs the collected JSON to a hardcoded endpoint at https://mj9yg25wm8m4vnkrrok8lwcogfm6awyl.oastify.com/detox56. The oastify.com host is a Burp Collaborator out-of-band callback domain used for exfiltration. The package has empty description and author fields and provides no advertised functionality; its only install-time effect is the reconnaissance beacon.
Decision reason
OpenSSF Malicious Packages via OSV confirms cppt-common@13.1.1 as malicious (MAL-2026-10632): Malicious code in cppt-common (npm)
References
Source & flagged code
0 flaggedNo flagged code excerpts are attached to this scan.
Findings
1 High
HighOsv Malicious Advisory