registry  /  ls-env-config  /  1.0.5

ls-env-config@1.0.5

OSV Malicious Advisory

scanned 3h ago · by OpenSSF/OSV

OpenSSF/OSV advisory MAL-2026-10678 confirms this npm version as malicious. Package declares a `preinstall` script (`node./index.js`) that fires automatically on `npm install`. The executed `index.js` issues an HTTP GET to a Burp-Collaborator-style subdomain at `85324cf9ac5145428803ea[...].collaborator.zivyelab.com/hello01?test=01`...

Advisory
MAL-2026-10678
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in ls-env-config (npm)
Details
Package declares a `preinstall` script (`node./index.js`) that fires automatically on `npm install`. The executed `index.js` issues an HTTP GET to a Burp-Collaborator-style subdomain at `85324cf9ac5145428803ea[...].collaborator.zivyelab.com/hello01?test=01`. This confirms code execution on the installer's machine and a DNS/HTTP callback to a non-first-party host on every install, leaking host and network reachability information. The pattern is consistent with a dependency-confusion probe; regardless of stated intent, it executes on any installer and beacons to a third-party collaborator endpoint.
Decision reason
OpenSSF Malicious Packages via OSV confirms ls-env-config@1.0.5 as malicious (MAL-2026-10678): Malicious code in ls-env-config (npm)

Source & flagged code

0 flagged
No flagged code excerpts are attached to this scan.

Findings

1 High
HighOsv Malicious Advisory