OSV Malicious Advisory
scanned 2h ago · by OpenSSF/OSVOpenSSF/OSV advisory MAL-2026-6075 confirms this npm version as malicious. On `npm install`, the package's postinstall hook executes `node index.js`, which collects the installer's public IP (via api.ipify.org), hostname, username, platform, current working directory, process id, and Windows domain environment variables (COMPUTERNAME, USERDOMAIN, LOGONSERVER, USERDNSDOMAIN, USERNAME), and POSTs the JSON payload to the hardcoded attacker endpoint http://109.71.252.153:8080/callback over...
Advisory
MAL-2026-6075
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in opt-archetype-check (npm)
Details
On `npm install`, the package's postinstall hook executes `node index.js`, which collects the installer's public IP (via api.ipify.org), hostname, username, platform, current working directory, process id, and Windows domain environment variables (COMPUTERNAME, USERDOMAIN, LOGONSERVER, USERDNSDOMAIN, USERNAME), and POSTs the JSON payload to the hardcoded attacker endpoint http://109.71.252.153:8080/callback over plain HTTP. index.js line 24 hardcodes the callback host (`const CALLBACK_HOST = "109.71.252.153";`) and line 73 issues the POST to `/callback`. The file's own header self-identifies as a 'PoC Callback Script — npm Package Takeover'. The package's description ('walmart Application and Middleware Server') and name shape are consistent with dependency-confusion impersonation of internal Walmart tooling — any environment that mistakenly resolves this public package will execute the beacon and leak infrastructure fingerprints to the attacker, providing reconnaissance for follow-on intrusion against the targeted internal namespace.
## Source: ghsa-malware (09e9ecef8217866de5daf28f17e24dfd60327c58a5b47d6a8bb86dd7e1cc635c) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.
Decision reason
OpenSSF Malicious Packages via OSV confirms opt-archetype-check@9.99.4 as malicious (MAL-2026-6075): Malicious code in opt-archetype-check (npm)
References
Source & flagged code
0 flaggedNo flagged code excerpts are attached to this scan.
Findings
1 High
HighOsv Malicious Advisory