registry  /  http-req-lite  /  1.0.0

http-req-lite@1.0.0

Simple HTTP request helper with retry and timeout

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Install triggers hidden shell commands that retrieve data from an internal-looking host and exfiltrate it to an external OAST endpoint. A second request attempts server-side forwarding to that endpoint.

Static reason
One or more suspicious static signals were detected.
Trigger
npm installation via the `postinstall` lifecycle hook.
Impact
May extract internal HTTP content and induce SSRF during dependency installation.
Mechanism
install-time curl-based SSRF probing and data exfiltration
Attack narrative
On installation, `postinstall.js` executes curl pipelines. It fetches content from `tst.woa.com/flag.html` and posts it to an attacker-observable OAST endpoint, then requests an SSRF-forwarding URL targeting the same endpoint. This behavior is unrelated to the advertised HTTP helper and executes without user invocation.
Rationale
The package contains concrete, unconsented install-time shell execution that probes an internal-looking service and exfiltrates retrieved content to an external OAST domain. This is malicious behavior, not a benign runtime HTTP utility.
Evidence
package.jsonpostinstall.jsindex.js
Network endpoints4
tst.woa.com/flag.htmltst.woa.com/ssrf_forward.phppwpzhsrbtvmfqrqr7onqcwnrcii960up.oastify.com/ssrf1pwpzhsrbtvmfqrqr7onqcwnrcii960up.oastify.com

OSV Corroboration

OpenSSF/OSV
Advisory
MAL-2026-10699
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in http-req-lite (npm)
Details
The OpenSSF Package Analysis project identified 'http-req-lite' @ 1.0.0 (npm) as malicious. It is considered malicious because: - The package communicates with a domain associated with malicious activity. - The package executes one or more commands associated with malicious behavior.
References

Decision evidence

public snapshot
AI called this Malicious at 99.0% confidence as Malware with low false-positive risk.
Evidence for block
  • `package.json` runs `node postinstall.js` automatically on install.
  • `postinstall.js` executes shell commands through `child_process.exec`.
  • `postinstall.js` fetches `http://tst.woa.com/flag.html` and POSTs its body to an OAST host.
  • `postinstall.js` triggers `ssrf_forward.php` with the external OAST hostname.
Evidence against
  • `index.js` only exports a user-invoked `fetch(url)` helper.
  • No benign purpose is evident for the install-time network activity.
Behavioral surface
Source
ChildProcessNetwork
Supply chain
TrivialUrlStrings
ManifestNo manifest risk signals triggered.
scanned 2 file(s), 368 B of source, external domains: tst.woa.com

Source & flagged code

2 flagged · loading source
package.jsonView file
scripts.postinstall = node postinstall.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node postinstall.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg

Findings

1 High2 Medium2 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
LowScripts Present
LowUrl Strings