OSV Malicious Advisory
scanned 4h ago · by OpenSSF/OSVOpenSSF/OSV advisory MAL-2026-5515 confirms this npm version as malicious. On `npm install`, preinstall.js collects hostname, username, cwd, network interfaces, and the names of environment variables matching /TOKEN|SECRET|PASSWORD|KEY|AUTH|NPM|AWS|GITHUB|YELP|DATABASE/i, then probes for the existence and sizes of ~/.npmrc, ~/.gitconfig, ~/.ssh/id_rsa, ~/.ssh/id_ed25519, ~/.aws/credentials, ~/.env, ~/.netrc, and ~/.docker/config.json...
Advisory
MAL-2026-5515
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in yelp-react-component-chaos (npm)
Details
On `npm install`, preinstall.js collects hostname, username, cwd, network interfaces, and the names of environment variables matching /TOKEN|SECRET|PASSWORD|KEY|AUTH|NPM|AWS|GITHUB|YELP|DATABASE/i, then probes for the existence and sizes of ~/.npmrc, ~/.gitconfig, ~/.ssh/id_rsa, ~/.ssh/id_ed25519, ~/.aws/credentials, ~/.env, ~/.netrc, and ~/.docker/config.json. The collected payload is POSTed via curl to http://3w0e8s6jg6tkyv03vdesvscvlmrdf43t.oastify.com (a Burp Collaborator OAST domain) over plain HTTP. The payload self-identifies with `attack: 'dependency-confusion-yelp'` and the package name `yelp-react-component-chaos` impersonates Yelp's internal React tooling namespace, indicating a dependency-confusion squat against Yelp's private registry. Any developer or CI pipeline that resolves this name from public npm has their host fingerprinted and their installer-credential file inventory reported off-host, enabling targeted follow-on theft.
## Source: ghsa-malware (5bea4f453020ab71f0751124ac35492ef8190a2a0e25796189869d1ba49915cc) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.
## Source: ossf-package-analysis (888a90bd95ca140a3cc5946c0f1a7bf5b52f04ac2f7732722de7db72ec409801) The OpenSSF Package Analysis project identified 'yelp-react-component-chaos' @ 8.14.5 (npm) as malicious.
It is considered malicious because:
- The package communicates with a domain associated with malicious activity.
- The package executes one or more commands associated with malicious behavior.
Decision reason
OpenSSF Malicious Packages via OSV confirms yelp-react-component-chaos@8.14.5 as malicious (MAL-2026-5515): Malicious code in yelp-react-component-chaos (npm)
References
Source & flagged code
0 flaggedNo flagged code excerpts are attached to this scan.
Findings
1 High
HighOsv Malicious Advisory