—

MAL-2026-6349

Malicious code in bug-monorepo (npm)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (bdac6ea5e7530323f39451c43fc9e4693b30704a5f9e9287018c727a44c36a5d) package.json declares `preinstall: node index.js`, causing index.js to run automatically on `npm install`. The script collects hostname, username, home directory, DNS servers, and the full package.json, and reads `/etc/passwd` and `/etc/hosts` (index.js:18), then HTTPS-POSTs the JSON payload to `cp5uzinglyy3ifb8gvvgvq5qvh19p0dp.oastify.com` (a Burp Collaborator out-of-band subdomain controlled by the attacker). Empty author/description fields and the generic `bug-monorepo` name are consistent with a dependency-confusion recon package targeting an internal namespace. Installing this package leaks host identity and sensitive system file contents to an attacker-controlled endpoint.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / bug-monorepo

No fixed version published yet for bug-monorepo (npm). Pin to a known-safe version or switch to an alternative.

References

https://www.npmjs.com/package/bug-monorepo/v/3.1.94 [PACKAGE]