VDB
EN

MAL-2026-10086

Malicious code in dl-pp-latm (npm)

상세

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (e21f1adb71c41838848c4d4292830a9738895d32a5b0f1f098e1efdadb233716) Package dl-pp-latm@80.4.2 registers both preinstall and postinstall lifecycle hooks that run index.js, which collects installer machine identifiers — os.hostname(), os.userInfo().username, os.homedir(), dns.getServers(), current working directory, and the full package.json — and transmits them via HTTPS POST and DNS lookup to an Interactsh-style subdomain 'bvfmpadujgjgmbtzeibiikzijuhmtd2rs.oast.fun'. The package name pattern and 'Internal App bUg b0UntY gollum22' description match a dependency-confusion probe targeting internal/private package names; any developer workstation or CI system that resolves this package leaks internal hostnames, usernames, and DNS configuration to a third-party OOB collector. This fires automatically on npm install without user interaction.

이 버전이 영향받나요?

사용 중인 패키지 버전을 입력하면 즉시 평가합니다.

영향 패키지

npm / dl-pp-latm

No fixed version published yet for dl-pp-latm (npm). Pin to a known-safe version or switch to an alternative.

참고