VDB
KO

MAL-2026-10459

Malicious code in connectedmerchantsserv (npm)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (834b886e34ea551223e9eeb30561267c93226eac960729a9a0ff6a06277c74cf) The package's `scripts.install` lifecycle hook runs `node index.js`, which loads `lib/core.js`. That module collects the installer's OS username, hostname, and current working directory basename, then encodes those values as subdomain labels of `oob.sl4x0.xyz` prefixed with `paypal2` and issues `dns.resolve4` queries against the resulting hostname, leaking the data out-of-band to the attacker's authoritative DNS server. The Node API names (`os`, `dns`, `userInfo`, `username`, `hostname`, `cwd`) and the destination domain are hidden as char-code numeric arrays reconstructed via `String.fromCharCode` in `lib/b02e30.js` and `lib/6ad264.js` to evade static inspection. The package is presented as generic 'enterprise utilities' but ships no functionality matching that description.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / connectedmerchantsserv

No fixed version published yet for connectedmerchantsserv (npm). Pin to a known-safe version or switch to an alternative.

References