VDB
KO

MAL-2026-10081

Malicious code in webrix-docs1 (npm)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (20cdefe1415c5b5245f36b10ea0de9033433b479768c2cc785ad2742b9433fce) The package declares a preinstall hook (`node index.js`) that fires automatically on `npm install`. The script requires `child_process`, `os`, `https`, and `http`, collects hostname, platform, arch, username/uid/gid, shell, home directory, CPU/memory stats, cwd, and the output of `whoami`/`id`, then POSTs the JSON payload to a hardcoded Burp Collaborator (oastify.com) subdomain at `https://c7kfuaf25guwigaz6r03kxet0k6bu3is.oastify.com/detox56`. The package has an empty description and empty author, presents no advertised functionality, and its name mimics the `webrix` project — consistent with dependency-confusion/typosquat recon. Installing the package directly leaks installer host and user identifiers to an attacker-controlled OAST endpoint.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / webrix-docs1

No fixed version published yet for webrix-docs1 (npm). Pin to a known-safe version or switch to an alternative.

References