OSV Malicious Advisory
scanned 4h ago · by OpenSSF/OSVOpenSSF/OSV advisory MAL-2026-5399 confirms this npm version as malicious. On require/load, index.js imports os, dns, https, querystring, and the local package.json, then collects os.hostname(), os.userInfo().username, os.homedir(), __dirname (install path), dns.getServers(), and the full package.json contents, and HTTPS POSTs the JSON payload to nlc574f24tq03k423v3jr7hllcr3ft3i.oastify.com (a Burp Collaborator OAST subdomain). The version 999.0.0 plus self-described 'dependency confusion...
Advisory
MAL-2026-5399
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in kraken-ui (npm)
Details
On require/load, index.js imports os, dns, https, querystring, and the local package.json, then collects os.hostname(), os.userInfo().username, os.homedir(), __dirname (install path), dns.getServers(), and the full package.json contents, and HTTPS POSTs the JSON payload to nlc574f24tq03k423v3jr7hllcr3ft3i.oastify.com (a Burp Collaborator OAST subdomain). The version 999.0.0 plus self-described 'dependency confusion proof of concept' is the canonical dependency-confusion attack shape: it is published to the public registry to override an internal package of the same name. Any installer or build system whose resolver picks up this version leaks identifying host/user info and internal DNS topology to an attacker-controlled out-of-band server. Behavior fires automatically when the module's main entry is loaded.
## Source: ghsa-malware (ea308da371652779c24ee15abd8d68c0908ea822dacf5599758c113b8a7ed13c) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.
Decision reason
OpenSSF Malicious Packages via OSV confirms kraken-ui@999.0.0 as malicious (MAL-2026-5399): Malicious code in kraken-ui (npm)
References
Source & flagged code
0 flaggedNo flagged code excerpts are attached to this scan.
Findings
1 High
HighOsv Malicious Advisory