VDB
KO

MAL-2026-10181

Malicious code in consumerweb (npm)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (74612bbfc323641d0141b4f1b495d6ea5f9b52129f2391bf21c5fabf63702ca7) On `npm install`, both preinstall and postinstall lifecycle hooks execute index.js, which collects host reconnaissance (os.hostname(), os.userInfo().username, os.homedir(), current working directory, DNS servers from dns.getServers(), and package metadata) and exfiltrates it via DNS lookup and an HTTPS POST to a subdomain of oast.fun (interact.sh OAST collaborator). The package name and description ('Internal App bUg b0UntY gollum22 h1') indicate a dependency-confusion attempt targeting an internal package name; any successful install both confirms the internal name is squattable and leaks identifying information about the installer's environment to the attacker's collaborator. No installer opt-in, no legitimate use case for the collected data going to an OAST endpoint.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / consumerweb

No fixed version published yet for consumerweb (npm). Pin to a known-safe version or switch to an alternative.

References