registry  /  leviosa86-test  /  4.999.0

leviosa86-test@4.999.0

OSV Malicious Advisory

scanned 4h ago · by OpenSSF/OSV

OpenSSF/OSV advisory MAL-2026-10636 confirms this npm version as malicious. leviosa86-test@4.999.0 ships src/poc/index.js which uses child_process.exec to run a shell pipeline that collects host reconnaissance data (hostname, current working directory, whoami, a package identifier) and the public egress IP fetched from https://ifconfig.me, concatenates the values, and exfiltrates them via nslookup as a subdomain label of d9bd62bu6g119svvav70o3p9tymtrxkoj.oast.site — an Interactsh...

Advisory
MAL-2026-10636
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in leviosa86-test (npm)
Details
leviosa86-test@4.999.0 ships src/poc/index.js which uses child_process.exec to run a shell pipeline that collects host reconnaissance data (hostname, current working directory, whoami, a package identifier) and the public egress IP fetched from https://ifconfig.me, concatenates the values, and exfiltrates them via nslookup as a subdomain label of d9bd62bu6g119svvav70o3p9tymtrxkoj.oast.site — an Interactsh (project-discovery) out-of-band callback domain. The generic package name combined with the anomalous 4.999.0 version bump is the canonical dependency-confusion research/attack shape, where a high version number is published to a public registry to override a private internal package and cause the recon payload to fire in the victim's build.
Decision reason
OpenSSF Malicious Packages via OSV confirms leviosa86-test@4.999.0 as malicious (MAL-2026-10636): Malicious code in leviosa86-test (npm)

Source & flagged code

0 flagged
No flagged code excerpts are attached to this scan.

Findings

1 High
HighOsv Malicious Advisory