MAL-2026-10081
Malicious code in webrix-docs1 (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (20cdefe1415c5b5245f36b10ea0de9033433b479768c2cc785ad2742b9433fce) The package declares a preinstall hook (`node index.js`) that fires automatically on `npm install`. The script requires `child_process`, `os`, `https`, and `http`, collects hostname, platform, arch, username/uid/gid, shell, home directory, CPU/memory stats, cwd, and the output of `whoami`/`id`, then POSTs the JSON payload to a hardcoded Burp Collaborator (oastify.com) subdomain at `https://c7kfuaf25guwigaz6r03kxet0k6bu3is.oastify.com/detox56`. The package has an empty description and empty author, presents no advertised functionality, and its name mimics the `webrix` project — consistent with dependency-confusion/typosquat recon. Installing the package directly leaks installer host and user identifiers to an attacker-controlled OAST endpoint.
Are you affected?
Enter the version of the package you're using.
Affected packages
No fixed version published yet for webrix-docs1 (npm). Pin to a known-safe version or switch to an alternative.