—

MAL-2024-2779

Malicious code in oauth-connect (npm)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (b49c48193ba50bb4ead1e212925eab8873e7e4ad7fa834d41e7626bb4e5036f3) package.json declares a `preinstall: node index.js` hook that fires automatically on `npm install`. index.js collects installer-side data — `os.hostname()`, `os.userInfo()`, home directory, DNS server configuration, the contents of `/etc/passwd` and `/etc/hosts`, and the contents of the consumer's `package.json` — then HTTPS POSTs the assembled JSON to `f3js0y9srl22itqjffo9jbl8mzswgm4b.oastify.com`, an attacker-controlled Burp Collaborator subdomain. The package's advertised purpose (an OAuth helper) bears no relationship to reading `/etc/passwd` or beaconing host identifiers off-machine. This is a reconnaissance / dependency-confusion exfiltration payload that runs unattended on every installer.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / oauth-connect

No fixed version published yet for oauth-connect (npm). Pin to a known-safe version or switch to an alternative.

References

https://www.npmjs.com/package/oauth-connect/v/0.1.1 [PACKAGE]