registry  /  events-alias  /  15.0.1

events-alias@15.0.1

OSV Malicious Advisory

scanned 3h ago · by OpenSSF/OSV

OpenSSF/OSV advisory MAL-2026-7011 confirms this npm version as malicious. The package's preinstall hook ("node index.js") runs automatically on `npm install` and executes an exfiltration payload. index.js requires child_process, os, http, and https, collects the installer's hostname, platform, arch, home directory, user info (username/uid/gid/shell), the output of `whoami`/`id`, and cwd, then POSTs the JSON payload to a hardcoded Burp Collaborator subdomain at...

Advisory
MAL-2026-7011
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in events-alias (npm)
Details
The package's preinstall hook ("node index.js") runs automatically on `npm install` and executes an exfiltration payload. index.js requires child_process, os, http, and https, collects the installer's hostname, platform, arch, home directory, user info (username/uid/gid/shell), the output of `whoami`/`id`, and cwd, then POSTs the JSON payload to a hardcoded Burp Collaborator subdomain at https://s70v1tcmg3npuykzzok5t0tdz45vtlha.oastify.com/detox56. The package name 'events-alias' mimics the ubiquitous Node core 'events' module namespace but ships only this install-time recon/exfil payload; an undeclared ~10KB binary blob named 'i' also ships in the tarball but is not referenced from the executed code. Installing this package leaks installer identity/host reconnaissance data to attacker-controlled infrastructure.
Decision reason
OpenSSF Malicious Packages via OSV confirms events-alias@15.0.1 as malicious (MAL-2026-7011): Malicious code in events-alias (npm)

Source & flagged code

0 flagged
No flagged code excerpts are attached to this scan.

Findings

1 High
HighOsv Malicious Advisory