—

MAL-2026-6292

Malicious code in @outmarket/utils (npm)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (2cd90f0d706cda01a5740f120f6e8d22ae57d907a5000854439c201b3c53a8c0) package.json declares a postinstall lifecycle script that fires automatically on `npm install`. The inline `node -e` payload uses hex-encoded property names (`\x6f\x73` for `os`, `\x68\x6f\x73\x74\x6e\x61\x6d\x65` for `hostname`, `\x75\x73\x65\x72\x49\x6e\x66\x6f` for `userInfo`) to obscure that it reads `os.hostname()` and `os.userInfo().username`, then issues an HTTP GET to `http://208.87.128.25:8888/?h=<hostname>&u=<username>`. The destination is a bare IPv4 over cleartext HTTP — not a publisher domain or known infrastructure. The package is published under the `@outmarket` scope with a description identifying it as a dependency-confusion proof-of-concept, but the on-install behavior is indistinguishable from a real dependency-confusion beacon: any installer who resolves this public package in place of an internal `@outmarket/utils` will leak host identity to the hardcoded endpoint. Hex obfuscation of standard Node API names is evasion, not a legitimate engineering choice.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / @outmarket/utils

No fixed version published yet for @outmarket/utils (npm). Pin to a known-safe version or switch to an alternative.

References

https://www.npmjs.com/package/@outmarket/utils/v/9.9.9 [PACKAGE]
https://www.npmjs.com/package/@outmarket/utils/v/9.9.10 [PACKAGE]