VDB
KO

MAL-2026-6991

Malicious code in airkey-mfa-react (npm)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (03026bf6133183ffaba772b4b1f585bab0a42ab87823a0a2375a7f1cba08661e) package.json declares a preinstall hook that runs index.js on `npm install`. index.js collects host and user identity data — hostname, platform, arch, home directory, username/uid/gid/shell, OS info, cwd, plus the output of `whoami` and `id` — and POSTs the JSON to a hardcoded Burp Collaborator-style OAST subdomain at s70v1tcmg3npuykzzok5t0tdz45vtlha.oastify.com/detox56. The package ships no library code matching its advertised MFA/React purpose; the install-time beacon is the package's only functional behavior. Empty author/description metadata and the mismatch between the package name and its contents are consistent with a dependency-confusion or namespace-squat placeholder targeting an internal package name.

## Source: ossf-package-analysis (aabfcc531d8f0174d9ba67b4ff82625500d953dfa0016b3e7bd95df973d5509f) The OpenSSF Package Analysis project identified 'airkey-mfa-react' @ 36.1.1 (npm) as malicious.

It is considered malicious because:

- The package communicates with a domain associated with malicious activity.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / airkey-mfa-react

No fixed version published yet for airkey-mfa-react (npm). Pin to a known-safe version or switch to an alternative.

References