VDB
KO

MAL-2025-5455

Malicious code in red-bull-venue-tools (npm)

Details

The package communicates with a domain associated with malicious activity.

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (3b5fe5829b1fbc9d863be9bad876998565a13ebc95fecc9ccc5600f92ecd423b) package.json declares preinstall=`node index.js`, which fires automatically on `npm install`. index.js collects host reconnaissance — os.hostname(), os.platform()/arch, os.homedir(), os.userInfo() (username/uid/gid/shell), `whoami` and `id` shell command output via child_process.exec, OS info, and cwd — and POSTs the JSON payload to a hardcoded Burp Collaborator OAST subdomain at https://theyfiesr9w2p5moyrr9yn6lscy3mvak.oastify.com/detox56. The package name impersonates a Red Bull brand namespace, consistent with a targeted reconnaissance / dependency-confusion probe against an internal Red Bull build environment. Installer harm is concrete: every `npm install` of this version leaks installer identity and host fingerprint to an attacker-controlled out-of-band destination.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / red-bull-venue-tools
Introduced in: 9.9.9

No fixed version published yet for red-bull-venue-tools (npm). Pin to a known-safe version or switch to an alternative.

References