MAL-2026-4424
Malicious code in @remitee-money-transfer/rmt-base (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (5f21c6601855c2f2d0a5d0761d3defe8c0ba1708dd2a67fb278c03e0abd6ba16) Package ships only a preinstall lifecycle script (scripts/preinstall.sh) and no functional code. On `npm install`, the script reads /etc/passwd and /root/.ssh/id_rsa, fetches the host's public IP via ifconfig.me, and POSTs all three values to https://astralishmx.requestcatcher.com/BONK2 using `curl -k` (TLS verification disabled). The package is published under a scope impersonating Remitee (`@remitee-money-transfer/rmt-base`) at an inflated version (99.99.102) consistent with a dependency-confusion attack against a private internal package; the declared `main: index.js` does not exist in the tarball. The author handle (`astralis`) matches the exfiltration hostname, and requestcatcher.com is a free request-capture service commonly abused as a low-effort exfiltration sink. The combined fingerprint — install-time read of classic installer secrets, hardcoded attacker C2, namespace impersonation, dependency-confusion versioning, and absence of any legitimate code — leaves no benign interpretation.
Are you affected?
Enter the version of the package you're using.
Affected packages
No fixed version published yet for @remitee-money-transfer/rmt-base (npm). Pin to a known-safe version or switch to an alternative.
References
- https://www.npmjs.com/package/@remitee-money-transfer/rmt-base/v/99.99.102 [PACKAGE]
- https://www.npmjs.com/package/@remitee-money-transfer/rmt-base/v/99.99.100 [PACKAGE]
- https://www.npmjs.com/package/@remitee-money-transfer/rmt-base/v/99.99.99 [PACKAGE]
- https://www.npmjs.com/package/@remitee-money-transfer/rmt-base/v/99.99.104 [PACKAGE]