VDB
KO

MAL-2026-10080

Malicious code in webrix-docs (npm)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (bec06de7c68db5cdd90e4b05be057a583f1a2318174916af07ed86d52a5011fc) package.json declares `preinstall: node index.js`, which runs automatically on `npm install`. index.js collects host reconnaissance data — os.hostname(), os.userInfo() (username, uid, gid, homedir), process.platform, cwd, and the output of `whoami`/`id` spawned via child_process — and POSTs it as JSON to the hardcoded URL https://c7kfuaf25guwigaz6r03kxet0k6bu3is.oastify.com/detox56 (a Burp Collaborator / oastify.com out-of-band interaction subdomain). The package has an empty description and author, no library code, and a name that mimics the legitimate `webrix` UI library — consistent with a typosquat/dependency-confusion lure whose only purpose is the install-time beacon.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / webrix-docs

No fixed version published yet for webrix-docs (npm). Pin to a known-safe version or switch to an alternative.

References