VDB
KO

MAL-2026-10579

Malicious code in bimi-maker (npm)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (4a4e6202887cfa87e6dcff6e37af854445a0e44f38b25ef6d3e40fec06cc8b5f) On `npm install`, the package's preinstall hook runs `node index.js`, which executes `whoami` and `id` via child_process and collects `os.hostname()`, `os.userInfo()`, `os.platform()`, homedir, cwd, and related host identifiers. The collected JSON payload is POSTed over HTTPS to a hardcoded Burp Collaborator subdomain, `https://mqgby2y4jlp0k06gbpg1ulgjqaw1ks8h.oastify.com/detox56`. The package ships no legitimate functionality matching its BIMI-related name; the only observable behavior is an install-time reconnaissance beacon to an attacker-controlled OAST endpoint, consistent with dependency-confusion or typosquat probing.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / bimi-maker

No fixed version published yet for bimi-maker (npm). Pin to a known-safe version or switch to an alternative.

References