—

MAL-2024-2031

Malicious code in crosswalker (npm)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (b352c9c53fc71d511dae5d0fd8acc4462286092822d70e37dd413593f12bf0d3) package.json declares `preinstall: node index.js`, causing index.js to run automatically on `npm install`. The script collects hostname, platform, arch, homedir, username, uid/gid, shell, OS info, cwd, and the output of `whoami` and `id`, then POSTs the JSON payload to a hardcoded URL at `https://kbz9yyzq2mtljdwwf6r0tpzlfcl39txi.oastify.com/detox56`. The destination is a Burp Collaborator subdomain — out-of-band infrastructure used to confirm exfiltration / RCE during dependency-confusion reconnaissance. Installer host and user identifiers leave the machine without consent on every install.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / crosswalker

No fixed version published yet for crosswalker (npm). Pin to a known-safe version or switch to an alternative.

References

https://www.npmjs.com/package/crosswalker/v/18.2.1 [PACKAGE]