—

MAL-2026-6521

Malicious code in @carvana.authentication-flows/shared (npm)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (78538bf70d1ebd3e4cd784d90b3961ea7966ce9b97e8124110374cad95c0b894) package.json declares a preinstall hook (`node index.js`) that runs unconditionally on `npm install`. index.js imports child_process/os/https, collects host identifiers (os.hostname, os.userInfo, platform, arch, homedir, cwd) and shells out to `whoami`/`id`, then POSTs the collected JSON to a hardcoded Burp Collaborator subdomain at https://pleq9pugrugzr4zgyymazmnq0h68u4it.oastify.com/detox56. The package name also impersonates the Carvana org by using a `.` in the scope (`@carvana.authentication-flows/shared`), making `carvana.authentication-flows` a fake top-level npm scope rather than a Carvana-owned namespace. There is no legitimate functionality shipped; the package's sole effect on install is reconnaissance exfiltration to an attacker-controlled out-of-band server.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / @carvana.authentication-flows/shared

No fixed version published yet for @carvana.authentication-flows/shared (npm). Pin to a known-safe version or switch to an alternative.

References

https://www.npmjs.com/package/@carvana.authentication-flows/shared/v/19.2.1 [PACKAGE]