MAL-2026-10086
Malicious code in dl-pp-latm (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (e21f1adb71c41838848c4d4292830a9738895d32a5b0f1f098e1efdadb233716) Package dl-pp-latm@80.4.2 registers both preinstall and postinstall lifecycle hooks that run index.js, which collects installer machine identifiers — os.hostname(), os.userInfo().username, os.homedir(), dns.getServers(), current working directory, and the full package.json — and transmits them via HTTPS POST and DNS lookup to an Interactsh-style subdomain 'bvfmpadujgjgmbtzeibiikzijuhmtd2rs.oast.fun'. The package name pattern and 'Internal App bUg b0UntY gollum22' description match a dependency-confusion probe targeting internal/private package names; any developer workstation or CI system that resolves this package leaks internal hostnames, usernames, and DNS configuration to a third-party OOB collector. This fires automatically on npm install without user interaction.
Are you affected?
Enter the version of the package you're using.
Affected packages
No fixed version published yet for dl-pp-latm (npm). Pin to a known-safe version or switch to an alternative.