MAL-2026-10203
Malicious code in giantswarm (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (75f3a244f2761c56347f695897a491d23ab04cafe1e5b0e46fd7d0d2c993f828) The package declares a `preinstall` hook (`node index.js`) that runs automatically on `npm install`. index.js collects host reconnaissance — hostname, platform, arch, home directory, username/uid/gid/shell, `whoami`, `id`, and cwd — and POSTs the collected data as JSON to a hardcoded Burp Collaborator subdomain at https://w305i20ui5s5476lc3b998z28tek2bq0.oastify.com/detox56. The package ships with empty description, author, and license fields and no functional code beyond the beacon. The unscoped name `giantswarm` impersonates the Giant Swarm vendor namespace, consistent with a dependency-confusion attack targeting private `@giantswarm/*` scopes.
Are you affected?
Enter the version of the package you're using.
Affected packages
No fixed version published yet for giantswarm (npm). Pin to a known-safe version or switch to an alternative.