MAL-2026-5399
Malicious code in kraken-ui (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (168f5bafda658807ea431a8cb06a1e3006d639d17b7f0c97d3d63e34f49129d5) On require/load, index.js imports os, dns, https, querystring, and the local package.json, then collects os.hostname(), os.userInfo().username, os.homedir(), __dirname (install path), dns.getServers(), and the full package.json contents, and HTTPS POSTs the JSON payload to nlc574f24tq03k423v3jr7hllcr3ft3i.oastify.com (a Burp Collaborator OAST subdomain). The version 999.0.0 plus self-described 'dependency confusion proof of concept' is the canonical dependency-confusion attack shape: it is published to the public registry to override an internal package of the same name. Any installer or build system whose resolver picks up this version leaks identifying host/user info and internal DNS topology to an attacker-controlled out-of-band server. Behavior fires automatically when the module's main entry is loaded.
## Source: ghsa-malware (ea308da371652779c24ee15abd8d68c0908ea822dacf5599758c113b8a7ed13c) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.
Are you affected?
Enter the version of the package you're using.
Affected packages
0 No fixed version published yet for kraken-ui (npm). Pin to a known-safe version or switch to an alternative.