—

MAL-2026-5486

Malicious code in menu-filter-widget-web (npm)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (bed4a7ece362ef59f2b621b3f64d06e899740c8ca8d73e437145d48b960187ce) package.json declares a postinstall lifecycle hook that runs callback.js on every npm install. callback.js reads os.hostname() and sends it to a hardcoded oastify.com (Burp Collaborator) URL via HTTPS GET, with a fallback DNS lookup that embeds the hostname as a subdomain label. Both channels carry a unique token plus the installer's hostname, registering the install with a remote attacker-controlled collaborator on every install. The package self-describes as a 'PoC' but is published to the public registry, so any installer leaks host identity automatically without consent.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / menu-filter-widget-web

No fixed version published yet for menu-filter-widget-web (npm). Pin to a known-safe version or switch to an alternative.

References

https://www.npmjs.com/package/menu-filter-widget-web/v/0.0.1 [PACKAGE]