OSV Malicious Advisory
scanned 2h ago · by OpenSSF/OSVOpenSSF/OSV advisory MAL-2026-10095 confirms this npm version as malicious. The package's postinstall hook auto-executes index.js on `npm install`. The script collects the installer's OS username (os.userInfo()), current working directory (process.cwd()), and external IPv4 address from network interfaces, then POSTs them as JSON to a hardcoded interactsh out-of-band collector at dodwqvexnkotaavogofbj9kjz5pltcu7b.oast.fun/receive-data...
Advisory
MAL-2026-10095
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in fury_frontend-andes-ui (npm)
Details
The package's postinstall hook auto-executes index.js on `npm install`. The script collects the installer's OS username (os.userInfo()), current working directory (process.cwd()), and external IPv4 address from network interfaces, then POSTs them as JSON to a hardcoded interactsh out-of-band collector at dodwqvexnkotaavogofbj9kjz5pltcu7b.oast.fun/receive-data. The package name mimics MercadoLibre's internal 'fury/andes-ui' naming convention and is published at version 99.9.5 to force resolution over any legitimate internal package with the same name — the standard dependency-confusion attack shape. The package ships no library functionality matching its name; its only effect on install is the identity beacon.
Decision reason
OpenSSF Malicious Packages via OSV confirms fury_frontend-andes-ui@99.9.5 as malicious (MAL-2026-10095): Malicious code in fury_frontend-andes-ui (npm)
References
Source & flagged code
0 flaggedNo flagged code excerpts are attached to this scan.
Findings
1 High
HighOsv Malicious Advisory