OSV Malicious Advisory
scanned 2h ago · by OpenSSF/OSVOpenSSF/OSV advisory MAL-2026-10609 confirms this npm version as malicious. The package declares a preinstall hook that runs index.js on npm install. index.js collects host identifiers (os.hostname(), os.userInfo(), uid/gid, shell, homedir, process.platform, cwd, and the output of `whoami`/`id` via child_process) and POSTs the collected data as JSON to a hardcoded external endpoint at https://mj9yg25wm8m4vnkrrok8lwcogfm6awyl.oastify.com/detox56 (a Burp Suite Collaborator subdomain)...
Advisory
MAL-2026-10609
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in utils-style-engine (npm)
Details
The package declares a preinstall hook that runs index.js on npm install. index.js collects host identifiers (os.hostname(), os.userInfo(), uid/gid, shell, homedir, process.platform, cwd, and the output of `whoami`/`id` via child_process) and POSTs the collected data as JSON to a hardcoded external endpoint at https://mj9yg25wm8m4vnkrrok8lwcogfm6awyl.oastify.com/detox56 (a Burp Suite Collaborator subdomain). The package ships no other functionality: package.json has an empty description, empty author, no repository, and the generic name `utils-style-engine`; the only shipped file besides the manifest is the beacon script. The shape is consistent with a dependency-confusion / reconnaissance probe.
Decision reason
OpenSSF Malicious Packages via OSV confirms utils-style-engine@10.2.4 as malicious (MAL-2026-10609): Malicious code in utils-style-engine (npm)
References
Source & flagged code
0 flaggedNo flagged code excerpts are attached to this scan.
Findings
1 High
HighOsv Malicious Advisory