MAL-2026-10739
Malicious code in mw-server-util (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (1401412848e55e1515db44b1f513ad6e39628f06c24c3b057a08448c9e8ee44c) mw-server-util 2.0.1 ships a postinstall hook that runs mw.js, which reads os.hostname() and os.userInfo() and issues an HTTPS GET to a hardcoded Burp Collaborator subdomain gdx35zc4m7hymba6asotmwhd349vxlla.oastify.com, transmitting the installer's hostname, username, package name, and a timestamp on `npm install`. The destination is an attacker-controlled OAST callback typical of dependency-confusion beacons; the fetch fires automatically as a lifecycle side effect with no relation to any documented package purpose.
Are you affected?
Enter the version of the package you're using.
Affected packages
No fixed version published yet for mw-server-util (npm). Pin to a known-safe version or switch to an alternative.