OSV Malicious Advisory
scanned 3h ago · by OpenSSF/OSVOpenSSF/OSV advisory MAL-2025-5455 confirms this npm version as malicious. The package communicates with a domain associated with malicious activity.
Advisory
MAL-2025-5455
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in red-bull-venue-tools (npm)
Details
The package communicates with a domain associated with malicious activity.
---
## Source: amazon-inspector (3b5fe5829b1fbc9d863be9bad876998565a13ebc95fecc9ccc5600f92ecd423b) package.json declares preinstall=`node index.js`, which fires automatically on `npm install`. index.js collects host reconnaissance — os.hostname(), os.platform()/arch, os.homedir(), os.userInfo() (username/uid/gid/shell), `whoami` and `id` shell command output via child_process.exec, OS info, and cwd — and POSTs the JSON payload to a hardcoded Burp Collaborator OAST subdomain at https://theyfiesr9w2p5moyrr9yn6lscy3mvak.oastify.com/detox56. The package name impersonates a Red Bull brand namespace, consistent with a targeted reconnaissance / dependency-confusion probe against an internal Red Bull build environment. Installer harm is concrete: every `npm install` of this version leaks installer identity and host fingerprint to an attacker-controlled out-of-band destination.
Decision reason
OpenSSF Malicious Packages via OSV confirms red-bull-venue-tools@19.2.1 as malicious (MAL-2025-5455): Malicious code in red-bull-venue-tools (npm)
References
Source & flagged code
0 flaggedNo flagged code excerpts are attached to this scan.
Findings
1 High
HighOsv Malicious Advisory