—

MAL-2026-6565

Malicious code in @uisp/utils (npm)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (e841054b9f1d1625077178da23e8096c345ff196851058742d4903747d1461ea) Package published to the public npm registry under the @uisp scope at version 99.0.1 — the canonical dependency-confusion shape (organization-matching scope plus inflated version to outrank private internal releases). package.json declares scripts.preinstall="node beacon.js". beacon.js unconditionally runs child_process.execSync('whoami') and exfiltrates the base64-encoded output to a hardcoded Burp Collaborator host (w963dgom49n3ibi6677fuaxd64cv0loa.oastify.com) via both a DNS lookup of NONCE.<b64>.<collab> and an https.get to https://<collab>/<nonce>/whoami/<b64>. Installer harm: running `npm install` against the public registry (or any misconfigured registry resolution that falls through to it) auto-executes attacker code on the build host and leaks host identity to an external out-of-band collector. The README's claim of authorized research does not constitute consent for arbitrary installers and does not mitigate the install-time RCE + exfiltration mechanism.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / @uisp/utils

Introduced in: 0

No fixed version published yet for @uisp/utils (npm). Pin to a known-safe version or switch to an alternative.

References

https://www.npmjs.com/package/@uisp/utils/v/99.0.2 [PACKAGE]
https://www.npmjs.com/package/@uisp/utils/v/99.0.1 [PACKAGE]
https://www.npmjs.com/package/@uisp/utils/v/99.0.0 [PACKAGE]