OSV Malicious Advisory
scanned 2h ago · by OpenSSF/OSVOpenSSF/OSV advisory MAL-2026-10183 confirms this npm version as malicious. The package runs vishu.js as a preinstall lifecycle hook on `npm install`. That script fetches the machine's public IP from api.ipify.org, collects os.hostname() and GitHub Actions / CI environment variables (GITHUB_*), and transmits them as query parameters to a hardcoded webhook.site collector URL over HTTPS. It additionally performs a DNS lookup of a subdomain of the form...
Advisory
MAL-2026-10183
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in fkext-browser-min (npm)
Details
The package runs vishu.js as a preinstall lifecycle hook on `npm install`. That script fetches the machine's public IP from api.ipify.org, collects os.hostname() and GitHub Actions / CI environment variables (GITHUB_*), and transmits them as query parameters to a hardcoded webhook.site collector URL over HTTPS. It additionally performs a DNS lookup of a subdomain of the form `ping-<hostname>.<collaborator>.oastify.com`, providing an out-of-band exfiltration channel (Burp Collaborator style) that bypasses HTTP egress filters. There is no legitimate functionality shipped alongside this — the package's only install-time effect is host reconnaissance and beacon-out to attacker-controlled sinks. This is a dependency-confusion / bug-bounty-style beacon against installer/CI environments.
Decision reason
One or more suspicious static signals were detected.
References
Decision evidence
public snapshotBehavioral surface
EnvironmentVarsNetwork
UrlStrings
Source & flagged code
1 flagged · loading sourcepackage.jsonView file
•scripts.preinstall = node vishu.js
High
Install Time Lifecycle Scripts
Package defines install-time lifecycle scripts.
package.jsonView on unpkgFindings
1 High2 Medium2 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowUrl Strings