MAL-2025-5455
Malicious code in red-bull-venue-tools (npm)
Details
The package communicates with a domain associated with malicious activity.
--- _-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (3b5fe5829b1fbc9d863be9bad876998565a13ebc95fecc9ccc5600f92ecd423b) package.json declares preinstall=`node index.js`, which fires automatically on `npm install`. index.js collects host reconnaissance — os.hostname(), os.platform()/arch, os.homedir(), os.userInfo() (username/uid/gid/shell), `whoami` and `id` shell command output via child_process.exec, OS info, and cwd — and POSTs the JSON payload to a hardcoded Burp Collaborator OAST subdomain at https://theyfiesr9w2p5moyrr9yn6lscy3mvak.oastify.com/detox56. The package name impersonates a Red Bull brand namespace, consistent with a targeted reconnaissance / dependency-confusion probe against an internal Red Bull build environment. Installer harm is concrete: every `npm install` of this version leaks installer identity and host fingerprint to an attacker-controlled out-of-band destination.
Are you affected?
Enter the version of the package you're using.
Affected packages
9.9.9 No fixed version published yet for red-bull-venue-tools (npm). Pin to a known-safe version or switch to an alternative.