registry  /  smb-portal-uikit  /  18.1.1

smb-portal-uikit@18.1.1

OSV Malicious Advisory

scanned 3h ago · by OpenSSF/OSV

OpenSSF/OSV advisory MAL-2026-10616 confirms this npm version as malicious. Package smb-portal-uikit@18.1.1 declares a preinstall lifecycle hook that runs `node index.js`. On `npm install`, index.js invokes child_process.exec on `whoami` and `id`, reads os.hostname(), os.userInfo(), process.platform, and process.cwd(), and POSTs the collected host reconnaissance to a hardcoded attacker-controlled endpoint at https://a2dmzqok5w5seb3fac3w4kvcz35utohd.oastify.com (an oastify.com subdomain, a...

Advisory
MAL-2026-10616
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in smb-portal-uikit (npm)
Details
Package smb-portal-uikit@18.1.1 declares a preinstall lifecycle hook that runs `node index.js`. On `npm install`, index.js invokes child_process.exec on `whoami` and `id`, reads os.hostname(), os.userInfo(), process.platform, and process.cwd(), and POSTs the collected host reconnaissance to a hardcoded attacker-controlled endpoint at https://a2dmzqok5w5seb3fac3w4kvcz35utohd.oastify.com (an oastify.com subdomain, a Burp Collaborator out-of-band interaction host commonly used as an exfiltration/beacon sink). The package ships no legitimate UI-toolkit functionality consistent with its name; the entire install-time behavior is reconnaissance and exfiltration.
Decision reason
One or more suspicious static signals were detected.; source fingerprint signature matched known malicious package; routed for review

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessNetwork
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 1 file(s), 3.02 KB of source, external domains: a2dmzqok5w5seb3fac3w4kvcz35utohd.oastify.com

Source & flagged code

3 flagged · loading source
package.jsonView file
scripts.preinstall = node index.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
index.jsView file
1const { exec } = require('child_process'); L2: const os = require('os'); L3: const https = require('https'); L4: const http = require('http'); ... L12: return new Promise((resolve, reject) => { L13: exec(command, (error, stdout, stderr) => { L14: if (error) { ... L30: pwd: '', L31: hostname: os.hostname(), L32: platform: os.platform(), ... L98: if (res.statusCode >= 200 && res.statusCode < 300) { L99: resolve({ statusCode: res.statusCode, body: responseData });
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

index.jsView on unpkg · L1
matchType = malicious_source_fingerprint_signature signature = a8c0a39e872fe207 signatureType = suspicious_hashes sourceLabel = Datadog matchedPackage = @zuora-marketing/zuora-marketing-website@2.0.0 matchedPath = index.js matchedIdentity = npm:[redacted]:2.0.0 similarity = 1.000 shingleOverlap = 1 summary = Datadog malicious npm corpus sample: samples/npm/malicious_intent/@zuora-marketing@zuora-marketing-website/2.0.0/2025-12-12-@zuora-marketing_zuora-marketing-website-v2.0.0.zip
High
Known Malware Source Fingerprint Signature

Source fingerprint signature matches a known malicious package signature; route for source-aware review.

index.jsView on unpkg

Findings

3 High2 Medium3 Low
HighInstall Time Lifecycle Scriptspackage.json
HighSandbox Evasion Gated Capabilityindex.js
HighKnown Malware Source Fingerprint Signatureindex.js
MediumNetwork
MediumStructural Risk Force Deep Review
LowScripts Present
LowHigh Entropy Strings
LowUrl Strings