MAL-2026-10179
Malicious code in @uwr/colors (npm)
상세
--- _-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (91240d8fb55b7ed4730a41f3a334c633bf1a03afb649fd473cad0c0a25312847) The package's postinstall script reads the installer's machine hostname via os.hostname() and performs a DNS lookup of `<hostname>.0ab1mctv5xigbskwtfusp77dj4pvdx1m.oastify.com`, leaking the hostname to a Burp Suite Collaborator subdomain at `npm install` time without consent. oastify.com is the Burp Collaborator service, commonly used by attackers as an out-of-band data-exfiltration channel. The package's advertised functionality is a trivial 5-entry frozen color constants map under the unscoped-looking @uwr scope ("colors for the unified workflow runtime") with an empty author field, consistent with a dependency-confusion / reconnaissance probe staged against an internal namespace rather than a legitimate library.
이 버전이 영향받나요?
사용 중인 패키지 버전을 입력하면 즉시 평가합니다.
영향 패키지
No fixed version published yet for @uwr/colors (npm). Pin to a known-safe version or switch to an alternative.