MAL-2025-6694
Malicious code in amdocs-auth-package (npm)
Details
The package communicates with a domain associated with malicious activity.
--- _-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (5d16664451db45f3a8b8da108a2b38785d0a7471480df169c57b38bccde640f7) Package name mimics an Amdocs internal package (dependency-confusion lure). package.json declares `preinstall: node index.js`, so `npm install` auto-executes index.js. index.js collects host reconnaissance via Node's os module and child_process (hostname, platform, arch, homedir, username/uid/gid/shell, OS info, plus output of `whoami`, `id`, and `pwd`) and POSTs the JSON payload to a hardcoded Burp Collaborator subdomain at https://bet2pv7fumnp3hnz9u5oxggb329txjl8.oastify.com/detox56. No legitimate functionality is present; the sole install-time effect is reconnaissance exfiltration to an attacker-controlled out-of-band callback host.
## Source: ossf-package-analysis (c756549e7fbf260738e6865ac35a33c132117c1e51d74abfe20fd5ab84cc5666) The OpenSSF Package Analysis project identified 'amdocs-auth-package' @ 99.1.0 (npm) as malicious.
It is considered malicious because:
- The package communicates with a domain associated with malicious activity.
- The package executes one or more commands associated with malicious behavior.
Are you affected?
Enter the version of the package you're using.
Affected packages
1.0.0 No fixed version published yet for amdocs-auth-package (npm). Pin to a known-safe version or switch to an alternative.