VDB
KO

MAL-2026-10205

Malicious code in library-explorer (npm)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (28b5db05b3bdfb9cc8b1af9759f05a3bc7a1b6a9c364b86831b93df78e9e2273) package.json declares `preinstall: node index.js`. On `npm install`, index.js collects installer host identity (os.hostname, os.platform, os.arch, os.homedir, os.userInfo username/uid/gid/shell, CPU/memory) and shells out `whoami` and (non-Windows) `id` via child_process.exec, then POSTs the aggregated JSON to a hardcoded Burp Collaborator subdomain at https://bgvge0daqrvkonl6x9qrx553ruxllb90.oastify.com/detox56. The package ships no real functionality (empty description/author, single preinstall script) and is consistent with a dependency-confusion / internal-name recon beacon staged to fire automatically on install.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / library-explorer

No fixed version published yet for library-explorer (npm). Pin to a known-safe version or switch to an alternative.

References