—

MAL-2026-5747

Malicious code in @giftyhq/widget-components (npm)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (8ad3f12a6a12fbfa60e4a72747df6974f89906200568926b99a8c93c489b5e62) package.json declares `"preinstall": "node index.js"`, which fires automatically on `npm install`. index.js collects host fingerprinting data — `os.hostname()`, `os.userInfo()`, `process.platform`, uid/gid, shell, cwd, and the output of `child_process.exec('whoami')` and `exec('id')` — and POSTs the result as JSON to the hardcoded URL `https://zad79wtflht20n15czfieir3quwlkb80.oastify.com/detox56`. The destination is a Burp Collaborator (oastify.com) out-of-band subdomain used as attacker-controlled exfiltration infrastructure. The package ships no legitimate component code; metadata is empty (no author, no description) and the package's only effect is the install-time recon beacon. Name and scope are consistent with a dependency-confusion / namespace-squat lure.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / @giftyhq/widget-components

No fixed version published yet for @giftyhq/widget-components (npm). Pin to a known-safe version or switch to an alternative.

References

https://www.npmjs.com/package/@giftyhq/widget-components/v/19.12.11 [PACKAGE]