MAL-2026-5150
Malicious code in @aonunited/angular (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (63dac830216ae445ebe7c5f45534e479d73a23a098ea9fc5740eeded5ebab4c9) On `npm install`, the package's preinstall script (preinstall.js) collects the installer's hostname, OS username, current working directory, and a timestamp, then sends them to two attacker-style out-of-band endpoints: a DNS lookup of a subdomain under `oast.fun` (an Interactsh-style callback service) constructed from the installer's identifiers, and an HTTPS POST of a JSON payload to a `webhook.site` URL. The package itself provides no functionality — it is a high-version (99.0.1) namespace-confusion lure against an internal `@aonunited/angular` package, designed so that any environment whose resolver picks the public registry copy will auto-execute the beacon. Although the metadata describes this as authorized HackerOne VDP research, the package is published to the public npm registry, so any developer or build system that installs or mistypes it leaks host fingerprints to third-party infrastructure without consent.
## Source: ghsa-malware (edcefa4f7ecdb8b1bf87735af2b0de89a74794dda4d8fbac66b99eaa7914d861) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.
## Source: ossf-package-analysis (411e19a999b3354e6b5ad40e6da82882c1bf314a35d722ade7b3e23eb9c4a46c) The OpenSSF Package Analysis project identified '@aonunited/angular' @ 99.0.1 (npm) as malicious.
It is considered malicious because:
- The package communicates with a domain associated with malicious activity.
Are you affected?
Enter the version of the package you're using.
Affected packages
0 No fixed version published yet for @aonunited/angular (npm). Pin to a known-safe version or switch to an alternative.