OSV Malicious Advisory
scanned 2h ago · by OpenSSF/OSVOpenSSF/OSV advisory MAL-2026-10683 confirms this npm version as malicious. The package declares a preinstall hook that runs index.js on npm install. index.js collects host and identity reconnaissance — os.hostname(), os.platform(), os.arch(), os.homedir(), os.userInfo() (username, uid, gid, shell), OS release, memory, CPU count, and the output of the `whoami`, `id`, and `pwd` shell commands — and POSTs the JSON payload to a hardcoded Burp Collaborator subdomain at...
Advisory
MAL-2026-10683
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in formatters.ts (npm)
Details
The package declares a preinstall hook that runs index.js on npm install. index.js collects host and identity reconnaissance — os.hostname(), os.platform(), os.arch(), os.homedir(), os.userInfo() (username, uid, gid, shell), OS release, memory, CPU count, and the output of the `whoami`, `id`, and `pwd` shell commands — and POSTs the JSON payload to a hardcoded Burp Collaborator subdomain at https://y43nklho48nnebq8qpmw3ngha8gz4pse.oastify.com/detox56. The package name resembles a legitimate formatter/TypeScript module and ships with empty description/author metadata, consistent with a dependency-confusion typosquat lure whose sole purpose is the install-time beacon.
Decision reason
OpenSSF Malicious Packages via OSV confirms formatters.ts@14.2.1 as malicious (MAL-2026-10683): Malicious code in formatters.ts (npm)
References
Source & flagged code
0 flaggedNo flagged code excerpts are attached to this scan.
Findings
1 High
HighOsv Malicious Advisory