MAL-2026-10095
Malicious code in fury_frontend-andes-ui (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (29bea4f118854efa6568545722d7210a76e06e64cad4036e0cc0b45c45aafe37) The package's postinstall hook auto-executes index.js on `npm install`. The script collects the installer's OS username (os.userInfo()), current working directory (process.cwd()), and external IPv4 address from network interfaces, then POSTs them as JSON to a hardcoded interactsh out-of-band collector at dodwqvexnkotaavogofbj9kjz5pltcu7b.oast.fun/receive-data. The package name mimics MercadoLibre's internal 'fury/andes-ui' naming convention and is published at version 99.9.5 to force resolution over any legitimate internal package with the same name — the standard dependency-confusion attack shape. The package ships no library functionality matching its name; its only effect on install is the identity beacon.
Are you affected?
Enter the version of the package you're using.
Affected packages
No fixed version published yet for fury_frontend-andes-ui (npm). Pin to a known-safe version or switch to an alternative.