registry  /  fkext-browser-min  /  1.0.14

fkext-browser-min@1.0.14

OSV Malicious Advisory

scanned 2h ago · by OpenSSF/OSV

OpenSSF/OSV advisory MAL-2026-10183 confirms this npm version as malicious. The package runs vishu.js as a preinstall lifecycle hook on `npm install`. That script fetches the machine's public IP from api.ipify.org, collects os.hostname() and GitHub Actions / CI environment variables (GITHUB_*), and transmits them as query parameters to a hardcoded webhook.site collector URL over HTTPS. It additionally performs a DNS lookup of a subdomain of the form...

Advisory
MAL-2026-10183
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in fkext-browser-min (npm)
Details
The package runs vishu.js as a preinstall lifecycle hook on `npm install`. That script fetches the machine's public IP from api.ipify.org, collects os.hostname() and GitHub Actions / CI environment variables (GITHUB_*), and transmits them as query parameters to a hardcoded webhook.site collector URL over HTTPS. It additionally performs a DNS lookup of a subdomain of the form `ping-<hostname>.<collaborator>.oastify.com`, providing an out-of-band exfiltration channel (Burp Collaborator style) that bypasses HTTP egress filters. There is no legitimate functionality shipped alongside this — the package's only install-time effect is host reconnaissance and beacon-out to attacker-controlled sinks. This is a dependency-confusion / bug-bounty-style beacon against installer/CI environments.
Decision reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
EnvironmentVarsNetwork
Supply chain
UrlStrings
ManifestNo manifest risk signals triggered.
scanned 1 file(s), 1.65 KB of source, external domains: api.ipify.org, webhook.site

Source & flagged code

1 flagged · loading source
package.jsonView file
scripts.preinstall = node vishu.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg

Findings

1 High2 Medium2 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowUrl Strings