—

MAL-2026-4822

Malicious code in loadtest-browser-lib (npm)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (934a61b207f82f8549de09139a73a80f47746bba1dacd21f657d34e6e542324e) On `npm install`, the package's preinstall hook executes index.js, which collects host identifiers (hostname, username, platform, arch, cwd, pid, timestamp) and sends them as query parameters in an HTTPS request to `fxpkkxatijbbyxuhdclqig6334q9m1j8w.oast.fun`, an out-of-band callback host. package.json declares `"preinstall": "node index.js"`, so the beacon fires automatically on default install with no user interaction. The package self-describes as 'hijacking by yusif', consistent with a dependency-confusion / namespace-hijack proof-of-concept payload. Any installer running `npm install` leaks identifying machine information to the attacker's collaborator endpoint.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / loadtest-browser-lib

No fixed version published yet for loadtest-browser-lib (npm). Pin to a known-safe version or switch to an alternative.

References

https://www.npmjs.com/package/loadtest-browser-lib/v/1.31.3 [PACKAGE]