OSV Malicious Advisory
scanned 2h ago · by OpenSSF/OSVOpenSSF/OSV advisory MAL-2026-6997 confirms this npm version as malicious. goofy-sdk@9999.0.0 is a dependency-confusion squat: the version is inflated to 9999.0.0 to shadow an internal package of the same name in build systems that resolve unscoped names against the public npm registry. On install, the package's preinstall hook executes callback.js, which reads os.hostname(), os.userInfo().username, process.platform, and process.cwd() and transmits them out-of-band to *.oast.fun...
Advisory
MAL-2026-6997
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in goofy-sdk (npm)
Details
goofy-sdk@9999.0.0 is a dependency-confusion squat: the version is inflated to 9999.0.0 to shadow an internal package of the same name in build systems that resolve unscoped names against the public npm registry. On install, the package's preinstall hook executes callback.js, which reads os.hostname(), os.userInfo().username, process.platform, and process.cwd() and transmits them out-of-band to *.oast.fun (Interactsh OAST callback infrastructure) via a DNS subdomain-encoded lookup and an HTTPS POST. Any build system that mis-resolves the internal name to this public package will silently leak internal host identity to a third-party callback service. Self-declared bug-bounty/research framing does not change the installer-side impact — the harm (unconsented host-identity beacon on install) is the same regardless of motive.
Decision reason
OpenSSF Malicious Packages via OSV confirms goofy-sdk@9999.0.0 as malicious (MAL-2026-6997): Malicious code in goofy-sdk (npm)
References
Source & flagged code
0 flaggedNo flagged code excerpts are attached to this scan.
Findings
1 High
HighOsv Malicious Advisory