—

MAL-2026-6346

Malicious code in triage-bot (npm)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (2ef2bb10931626a345e1277463f9c2ec6ca36108c2d6131c9210707ea5692a64) package.json declares `preinstall: node index.js`, so the payload runs automatically on `npm install` with no user action. index.js requires `os`, `fs`, and `https`, then collects hostname, username, home directory, DNS servers, current working directory, and package metadata, and reads the contents of /etc/passwd and /etc/hosts (index.js:18-19). The aggregated JSON is HTTPS POSTed to `t3x60c96rz2gi7qxftonjplmmdsbg14q.oastify.com`, a Burp Collaborator out-of-band-interaction subdomain controlled by the publisher. Package metadata is empty (author '', description '', ISC license) and the package ships no functional code — it exists solely as an install-time beacon, consistent with a dependency-confusion / pen-test harvest payload.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / triage-bot

No fixed version published yet for triage-bot (npm). Pin to a known-safe version or switch to an alternative.

References

https://www.npmjs.com/package/triage-bot/v/1.0.1 [PACKAGE]