registry  /  giantswarm  /  22.0.1

giantswarm@22.0.1

OSV Malicious Advisory

scanned 1h ago · by OpenSSF/OSV

OpenSSF/OSV advisory MAL-2026-10203 confirms this npm version as malicious. The package declares a `preinstall` hook (`node index.js`) that runs automatically on `npm install`. index.js collects host reconnaissance — hostname, platform, arch, home directory, username/uid/gid/shell, `whoami`, `id`, and cwd — and POSTs the collected data as JSON to a hardcoded Burp Collaborator subdomain at https://w305i20ui5s5476lc3b998z28tek2bq0.oastify.com/detox56...

Advisory
MAL-2026-10203
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in giantswarm (npm)
Details
The package declares a `preinstall` hook (`node index.js`) that runs automatically on `npm install`. index.js collects host reconnaissance — hostname, platform, arch, home directory, username/uid/gid/shell, `whoami`, `id`, and cwd — and POSTs the collected data as JSON to a hardcoded Burp Collaborator subdomain at https://w305i20ui5s5476lc3b998z28tek2bq0.oastify.com/detox56. The package ships with empty description, author, and license fields and no functional code beyond the beacon. The unscoped name `giantswarm` impersonates the Giant Swarm vendor namespace, consistent with a dependency-confusion attack targeting private `@giantswarm/*` scopes.
Decision reason
OpenSSF Malicious Packages via OSV confirms giantswarm@22.0.1 as malicious (MAL-2026-10203): Malicious code in giantswarm (npm)

Source & flagged code

0 flagged
No flagged code excerpts are attached to this scan.

Findings

1 High
HighOsv Malicious Advisory