—

MAL-2026-6355

Malicious code in ppt-creator (npm)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (8040bc58597dee52581beb232688c85302554af0af5726abc15c56a21ac69f2c) On `npm install`, package.json's `preinstall` hook runs index.js, which collects host identifiers (os.hostname(), os.userInfo(), homedir, DNS servers, __dirname, the package's own package.json) and reads the contents of /etc/passwd and /etc/hosts, then HTTPS-POSTs the resulting JSON to a Burp Collaborator subdomain at 3z3l99x7vp8us6lzqm575hfh58bzzqnf.oastify.com. The package has no documented purpose and no library functionality — its only effect on installers is the exfiltration beacon. Any developer or CI system that runs `npm install ppt-creator` leaks user-account enumeration data and host fingerprints to the attacker-controlled collaborator endpoint.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / ppt-creator

No fixed version published yet for ppt-creator (npm). Pin to a known-safe version or switch to an alternative.

References

https://www.npmjs.com/package/ppt-creator/v/1.0.0 [PACKAGE]