registry  /  fury_frontend-andes-ui  /  99.9.5

fury_frontend-andes-ui@99.9.5

OSV Malicious Advisory

scanned 2h ago · by OpenSSF/OSV

OpenSSF/OSV advisory MAL-2026-10095 confirms this npm version as malicious. The package's postinstall hook auto-executes index.js on `npm install`. The script collects the installer's OS username (os.userInfo()), current working directory (process.cwd()), and external IPv4 address from network interfaces, then POSTs them as JSON to a hardcoded interactsh out-of-band collector at dodwqvexnkotaavogofbj9kjz5pltcu7b.oast.fun/receive-data...

Advisory
MAL-2026-10095
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in fury_frontend-andes-ui (npm)
Details
The package's postinstall hook auto-executes index.js on `npm install`. The script collects the installer's OS username (os.userInfo()), current working directory (process.cwd()), and external IPv4 address from network interfaces, then POSTs them as JSON to a hardcoded interactsh out-of-band collector at dodwqvexnkotaavogofbj9kjz5pltcu7b.oast.fun/receive-data. The package name mimics MercadoLibre's internal 'fury/andes-ui' naming convention and is published at version 99.9.5 to force resolution over any legitimate internal package with the same name — the standard dependency-confusion attack shape. The package ships no library functionality matching its name; its only effect on install is the identity beacon.
Decision reason
OpenSSF Malicious Packages via OSV confirms fury_frontend-andes-ui@99.9.5 as malicious (MAL-2026-10095): Malicious code in fury_frontend-andes-ui (npm)

Source & flagged code

0 flagged
No flagged code excerpts are attached to this scan.

Findings

1 High
HighOsv Malicious Advisory