MAL-2026-10183
Malicious code in fkext-browser-min (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (1e56088bc1216133ce76ad6026b73c2fd6977f9c64ec1c2ab38234dc90403b2c) The package runs vishu.js as a preinstall lifecycle hook on `npm install`. That script fetches the machine's public IP from api.ipify.org, collects os.hostname() and GitHub Actions / CI environment variables (GITHUB_*), and transmits them as query parameters to a hardcoded webhook.site collector URL over HTTPS. It additionally performs a DNS lookup of a subdomain of the form `ping-<hostname>.<collaborator>.oastify.com`, providing an out-of-band exfiltration channel (Burp Collaborator style) that bypasses HTTP egress filters. There is no legitimate functionality shipped alongside this — the package's only install-time effect is host reconnaissance and beacon-out to attacker-controlled sinks. This is a dependency-confusion / bug-bounty-style beacon against installer/CI environments.
Are you affected?
Enter the version of the package you're using.
Affected packages
No fixed version published yet for fkext-browser-min (npm). Pin to a known-safe version or switch to an alternative.