MAL-2026-10636
Malicious code in leviosa86-test (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (46b0bed6337ffe527af2615fed8ae1ecbb449f6a6cb00afa6381f7811ec88956) leviosa86-test@4.999.0 ships src/poc/index.js which uses child_process.exec to run a shell pipeline that collects host reconnaissance data (hostname, current working directory, whoami, a package identifier) and the public egress IP fetched from https://ifconfig.me, concatenates the values, and exfiltrates them via nslookup as a subdomain label of d9bd62bu6g119svvav70o3p9tymtrxkoj.oast.site — an Interactsh (project-discovery) out-of-band callback domain. The generic package name combined with the anomalous 4.999.0 version bump is the canonical dependency-confusion research/attack shape, where a high version number is published to a public registry to override a private internal package and cause the recon payload to fire in the victim's build.
Are you affected?
Enter the version of the package you're using.
Affected packages
No fixed version published yet for leviosa86-test (npm). Pin to a known-safe version or switch to an alternative.