—

MAL-2026-6127

Malicious code in @onum-releases/utils (npm)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (887866a4734ebf64a639f9d2512cd400085469ec7fa06aba5f1bbe340b2688b8) On require('@onum-releases/utils'), index.js reads os.hostname() and issues an HTTP GET to 'utils.<hostname>.200majoeu01dk02xnjdajro1isojc90y.oastify.com', leaking the installer's hostname via DNS and HTTP to an out-of-band collaborator endpoint controlled by the package publisher. The beacon fires unconditionally on module load, so any consumer that imports the package exposes its host identifier to the attacker-controlled collaborator. The package.json description claims 'Security PoC placeholder - benign, no runtime payload', directly contradicting the shipped code. The scope '@onum-releases' impersonates the Onum vendor namespace, consistent with a dependency-confusion lure aimed at that organization's developers.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / @onum-releases/utils

No fixed version published yet for @onum-releases/utils (npm). Pin to a known-safe version or switch to an alternative.

References

https://www.npmjs.com/package/@onum-releases/utils/v/1.0.1 [PACKAGE]
https://www.npmjs.com/package/@onum-releases/utils/v/1.0.2 [PACKAGE]