registry  /  vuln-package  /  99.9.9

vuln-package@99.9.9

OSV Malicious Advisory

scanned 4h ago · by OpenSSF/OSV

OpenSSF/OSV advisory MAL-2026-10212 confirms this npm version as malicious. On npm install, the package's preinstall script triggers a DNS lookup to a unique subdomain of oast.fun (fabekzbnjtufpffkzzmvjvi5eafhny3ok.oast.fun), an out-of-band interaction service, confirming code execution on the installer's machine to a third-party collector. A sibling file indexCopy.js collects host identifiers (os.userInfo().username, os.hostname(), process.cwd(), and process.env references) and issues an...

Advisory
MAL-2026-10212
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in vuln-package (npm)
Details
On npm install, the package's preinstall script triggers a DNS lookup to a unique subdomain of oast.fun (fabekzbnjtufpffkzzmvjvi5eafhny3ok.oast.fun), an out-of-band interaction service, confirming code execution on the installer's machine to a third-party collector. A sibling file indexCopy.js collects host identifiers (os.userInfo().username, os.hostname(), process.cwd(), and process.env references) and issues an https.request POST to a hardcoded webhook.site endpoint (https://webhook.site/cde465c1-3853-40ea-880c-fdca6fe508cc). The combination of an OOB DNS beacon at install time and a staged HTTPS exfiltration payload targeting installer host identifiers is characteristic of a supply-chain reconnaissance/exfiltration attack rather than any legitimate package behavior.
Decision reason
OpenSSF Malicious Packages via OSV confirms vuln-package@99.9.9 as malicious (MAL-2026-10212): Malicious code in vuln-package (npm)

Source & flagged code

0 flagged
No flagged code excerpts are attached to this scan.

Findings

1 High
HighOsv Malicious Advisory