VDB
EN

MAL-2026-10200

Malicious code in api-changelly (npm)

상세

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (a94f4aa368f1838507a78dde78062b740a5853b516d9d32782d0264b539b724c) The package declares `preinstall: node index.js`, which runs automatically on `npm install`. index.js collects installer identifiers (os.hostname(), os.platform(), os.arch(), os.userInfo() username/uid/gid/shell, home directory, cwd) and executes `whoami` and `id` via child_process.exec, capturing their output. The combined JSON payload is POSTed to a hardcoded Burp Collaborator subdomain `https://1439tg4d02vixhxuj0gadpml4ca3ytmi.oastify.com/detox56`. The package name `api-changelly` impersonates the Changelly crypto-exchange brand and ships no legitimate functionality — the only behavior is the install-time beacon. This is the canonical dependency-confusion / reconnaissance-beacon shape targeting internal build systems that may resolve a private `changelly`-family dependency to this public package.

이 버전이 영향받나요?

사용 중인 패키지 버전을 입력하면 즉시 평가합니다.

영향 패키지

npm / api-changelly

No fixed version published yet for api-changelly (npm). Pin to a known-safe version or switch to an alternative.

참고