VDB
EN

MAL-2026-10096

Malicious code in guest-app-ui (npm)

상세

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (5244faa59fb08eaa6dec10250fe2218a4909cb06ecc6ac972fda38b144f2aaef) Package publishes as version 99.0.0 under a name presented in its README as an unclaimed internal name, positioning it to win dependency-confusion resolution against private registries. Both preinstall and postinstall lifecycle hooks in package.json execute callback.js, which collects installer host identifiers (os.hostname(), process.env.USER, process.cwd(), __dirname, platform/release, internal IPv4 addresses, and process.env.npm_config_registry), base64url-encodes the payload, and transmits it over three redundant channels to the hardcoded host 4li9yfz7.instances.httpworkbench.com: a DNS lookup/resolve4 with the payload as a subdomain label, an HTTP POST, and an HTTPS POST with TLS verification disabled (rejectUnauthorized: false). Any organization that has a private package by this name and lacks a scope/registry pin will pull this public artifact on npm install and beacon host fingerprint data to the external interaction host. The self-labeling as an authorized research PoC does not gate the behavior — every installer of this name is fingerprinted unconditionally.

이 버전이 영향받나요?

사용 중인 패키지 버전을 입력하면 즉시 평가합니다.

영향 패키지

npm / guest-app-ui

No fixed version published yet for guest-app-ui (npm). Pin to a known-safe version or switch to an alternative.

참고