MAL-2026-5910
Malicious code in uidai_reusable_components (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (5875a720dc1cfc6e30a67b003fc43975fbef2e11352e715e19e55e54dd84ae67) On `npm install`, the preinstall lifecycle script in package.json executes an inline Node one-liner that collects the installer's hostname, OS username, NODE_ENV, current working directory, local IPv4 addresses (via `ipconfig|findstr IPv4` on Windows or `hostname -I` on Linux), the configured npm registry URL (`npm config get registry`), and Windows USERDOMAIN / Unix `id` output. The collected data is URL-encoded and embedded as a subdomain label in an HTTP GET to `*.d8ofndiplbq1d996mde0a9yukto9dm49e.oast.online`, an Interactsh out-of-band callback host controlled by the package author. The package's own description states it is a 'PoC for dependency confusion' targeting the UIDAI (Aadhaar / India's national identity authority) internal namespace, and the harvested private npm registry URL is the canonical signal an attacker uses to confirm a dependency-confusion victim. The package ships no actual UI component functionality — its only effect on install is the exfiltration beacon.
Are you affected?
Enter the version of the package you're using.
Affected packages
No fixed version published yet for uidai_reusable_components (npm). Pin to a known-safe version or switch to an alternative.
References
- https://www.npmjs.com/package/uidai_reusable_components/v/0.4.3 [PACKAGE]
- https://www.npmjs.com/package/uidai_reusable_components/v/0.4.5 [PACKAGE]
- https://www.npmjs.com/package/uidai_reusable_components/v/0.4.2 [PACKAGE]
- https://www.npmjs.com/package/uidai_reusable_components/v/0.4.6 [PACKAGE]
- https://www.npmjs.com/package/uidai_reusable_components/v/0.4.4 [PACKAGE]