MAL-2026-10178
Malicious code in @broadpeak/smartlib-ad (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (45df33d93645560085a7efe94308b0e3d846f30c829f2d2804bcdb1245626289) package.json declares `preinstall: node index.js`, which fires automatically on `npm install`. index.js loads child_process/os/https, runs `whoami` and `id`, collects host identifiers (os.hostname, os.platform, os.arch, os.homedir, os.userInfo username/uid/gid/shell, os.type, os.release, process.cwd), and POSTs the collected JSON to a hardcoded Burp Collaborator (OAST) subdomain at https://3quc59n15cfcretszaygwfm9v01rphd6.oastify.com/detox56. The package ships no functional code beyond this beacon, has empty description/author, and is published under the `@broadpeak` scope — consistent with dependency-confusion reconnaissance impersonating an internal Broadpeak package. Installing this package leaks installer host/user identifiers to an attacker-controlled out-of-band endpoint and confirms code execution inside the target's build environment for follow-up targeting.
Are you affected?
Enter the version of the package you're using.
Affected packages
No fixed version published yet for @broadpeak/smartlib-ad (npm). Pin to a known-safe version or switch to an alternative.