—

MAL-2026-6069

Malicious code in @civitatis/bot-ui (npm)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (e51e58cf925eb7dd4e084a2e78e22b0a0db0f1f82663101e34110258839f98f7) The package declares `"preinstall": "node index.js"` in package.json, causing index.js to execute automatically on `npm install`. index.js requires `child_process`, `os`, `https`, and `http`, then collects host and user identity — `whoami`, `id`, `os.hostname()`, `process.platform`, architecture, homedir, `os.userInfo()` (username/uid/gid/shell), OS details, and cwd — and POSTs them as JSON to the hardcoded URL `https://277k5lhnsb38srix1rr2le9g177yvpje.oastify.com/detox56` (oastify.com is the Burp Collaborator out-of-band interaction service, commonly abused as recon/C2 infrastructure). The package ships no legitimate functionality — empty description, empty author, no UI code despite the `bot-ui` name — and the `@civitatis` scope plus generic name shape are consistent with a dependency-confusion attack against an internal namespace. Installing this package on any developer machine or CI runner immediately leaks host identity to the attacker.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / @civitatis/bot-ui

No fixed version published yet for @civitatis/bot-ui (npm). Pin to a known-safe version or switch to an alternative.

References

https://www.npmjs.com/package/@civitatis/bot-ui/v/15.12.11 [PACKAGE]
https://www.npmjs.com/package/@civitatis/bot-ui/v/14.12.11 [PACKAGE]