registry  /  smb-common-uikit  /  15.2.0

smb-common-uikit@15.2.0

OSV Malicious Advisory

scanned 3h ago · by OpenSSF/OSV

OpenSSF/OSV advisory MAL-2026-10615 confirms this npm version as malicious. package.json declares a preinstall hook that runs index.js. On npm install, index.js collects host reconnaissance from the installer (os.hostname(), os.userInfo(), os.platform(), os.arch(), homedir, uid/gid, shell, plus the output of `whoami`, `id`, and cwd via child_process) and POSTs the resulting JSON to the hardcoded URL https://rmh3j781pdp9ysnwutndo1ftjkpbd31s.oastify.com/detox56. oastify.com is a Burp Suite...

Advisory
MAL-2026-10615
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in smb-common-uikit (npm)
Details
package.json declares a preinstall hook that runs index.js. On npm install, index.js collects host reconnaissance from the installer (os.hostname(), os.userInfo(), os.platform(), os.arch(), homedir, uid/gid, shell, plus the output of `whoami`, `id`, and cwd via child_process) and POSTs the resulting JSON to the hardcoded URL https://rmh3j781pdp9ysnwutndo1ftjkpbd31s.oastify.com/detox56. oastify.com is a Burp Suite Collaborator out-of-band interaction domain, and the unique random subdomain plus install-time host beacon is the canonical dependency-confusion / reconnaissance exfiltration shape.
Decision reason
One or more suspicious static signals were detected.; source fingerprint signature matched known malicious package; routed for review

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessNetwork
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 1 file(s), 3.02 KB of source, external domains: rmh3j781pdp9ysnwutndo1ftjkpbd31s.oastify.com

Source & flagged code

3 flagged · loading source
package.jsonView file
scripts.preinstall = node index.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
index.jsView file
1const { exec } = require('child_process'); L2: const os = require('os'); L3: const https = require('https'); L4: const http = require('http'); ... L12: return new Promise((resolve, reject) => { L13: exec(command, (error, stdout, stderr) => { L14: if (error) { ... L30: pwd: '', L31: hostname: os.hostname(), L32: platform: os.platform(), ... L98: if (res.statusCode >= 200 && res.statusCode < 300) { L99: resolve({ statusCode: res.statusCode, body: responseData });
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

index.jsView on unpkg · L1
matchType = malicious_source_fingerprint_signature signature = a8c0a39e872fe207 signatureType = suspicious_hashes sourceLabel = Datadog matchedPackage = @zuora-marketing/zuora-marketing-website@2.0.0 matchedPath = index.js matchedIdentity = npm:[redacted]:2.0.0 similarity = 1.000 shingleOverlap = 1 summary = Datadog malicious npm corpus sample: samples/npm/malicious_intent/@zuora-marketing@zuora-marketing-website/2.0.0/2025-12-12-@zuora-marketing_zuora-marketing-website-v2.0.0.zip
High
Known Malware Source Fingerprint Signature

Source fingerprint signature matches a known malicious package signature; route for source-aware review.

index.jsView on unpkg

Findings

3 High2 Medium3 Low
HighInstall Time Lifecycle Scriptspackage.json
HighSandbox Evasion Gated Capabilityindex.js
HighKnown Malware Source Fingerprint Signatureindex.js
MediumNetwork
MediumStructural Risk Force Deep Review
LowScripts Present
LowHigh Entropy Strings
LowUrl Strings