registry  /  dl-pp-latm  /  80.4.2

dl-pp-latm@80.4.2

OSV Malicious Advisory

scanned 4h ago · by OpenSSF/OSV

OpenSSF/OSV advisory MAL-2026-10086 confirms this npm version as malicious. Package dl-pp-latm@80.4.2 registers both preinstall and postinstall lifecycle hooks that run index.js, which collects installer machine identifiers — os.hostname(), os.userInfo().username, os.homedir(), dns.getServers(), current working directory, and the full package.json — and transmits them via HTTPS POST and DNS lookup to an Interactsh-style subdomain 'bvfmpadujgjgmbtzeibiikzijuhmtd2rs.oast.fun'...

Advisory
MAL-2026-10086
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in dl-pp-latm (npm)
Details
Package dl-pp-latm@80.4.2 registers both preinstall and postinstall lifecycle hooks that run index.js, which collects installer machine identifiers — os.hostname(), os.userInfo().username, os.homedir(), dns.getServers(), current working directory, and the full package.json — and transmits them via HTTPS POST and DNS lookup to an Interactsh-style subdomain 'bvfmpadujgjgmbtzeibiikzijuhmtd2rs.oast.fun'. The package name pattern and 'Internal App bUg b0UntY gollum22' description match a dependency-confusion probe targeting internal/private package names; any developer workstation or CI system that resolves this package leaks internal hostnames, usernames, and DNS configuration to a third-party OOB collector. This fires automatically on npm install without user interaction.
Decision reason
One or more suspicious static signals were detected.; source fingerprint signature matched known malicious package; routed for review

Decision evidence

public snapshot
Behavioral surface
Source
CryptoNetwork
Supply chainNo supply-chain packaging signals triggered.
ManifestNo manifest risk signals triggered.
scanned 1 file(s), 2.10 KB of source

Source & flagged code

4 flagged · loading source
package.jsonView file
scripts.postinstall = node index.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
index.jsView file
1const os = require("os"); L2: const dns = require("dns"); L3: const querystring = require("querystring"); ... L5: const crypto = require("crypto"); // Para generar hash L6: const packageJSON = require("./package.json"); L7: const package = 'dl-pp-latm bug bounty'; ... L11: p: package, L12: c: __dirname, L13: hd: os.homedir(), L14: hn: os.hostname(), L15: un: os.userInfo().username, ... L82:
High
Host Fingerprint Exfiltration

Source collects local host identity data and sends it to an external endpoint.

index.jsView on unpkg · L1
matchType = malicious_source_fingerprint_signature signature = 297e886e8188212a signatureType = suspicious_hashes sourceLabel = final_verdict:malicious matchedPackage = pp-react-v5@30.0.2 matchedPath = index.js matchedIdentity = npm:cHAtcmVhY3QtdjU:30.0.2 similarity = 1.000 shingleOverlap = 1 summary = package final verdict is malicious
High
Known Malware Source Fingerprint Signature

Source fingerprint signature matches a known malicious package signature; route for source-aware review.

index.jsView on unpkg
1const os = require("os"); L2: const dns = require("dns"); L3: const querystring = require("querystring"); ... L5: const crypto = require("crypto"); // Para generar hash L6: const packageJSON = require("./package.json"); L7: const package = 'dl-pp-latm bug bounty'; ... L11: p: package, L12: c: __dirname, L13: hd: os.homedir(), L14: hn: os.hostname(), L15: un: os.userInfo().username, ... L82:
Low
Weak Crypto

Package source references weak cryptographic algorithms.

index.jsView on unpkg · L1

Findings

3 High1 Medium2 Low
HighInstall Time Lifecycle Scriptspackage.json
HighHost Fingerprint Exfiltrationindex.js
HighKnown Malware Source Fingerprint Signatureindex.js
MediumNetwork
LowScripts Present
LowWeak Cryptoindex.js