—

MAL-2026-5736

Malicious code in node-stack-frames (npm)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (5fd4f6c5f3278484d99f6ffffc001cf920dcb0fa4fdfabff957a61c3cfbfc158) package.json declares a preinstall script that runs an inline Node program on `npm install`. The script requires `os` and `http`, collects `os.hostname()`, `os.platform()`, and `os.arch()`, base64-encodes the result, and issues an HTTP GET to `https://d8lslmi9io6i264ftj80mh9e7niqiaenf.oast.live/?data=<encoded>`. The host is a Project Discovery interactsh (OAST) subdomain used as an out-of-band collection endpoint. The package ships no functional code — its own description identifies it as a security holding placeholder — so the only effect of installing it is the automatic exfiltration of installer host identifiers to an attacker-controlled collector. This matches a dependency-confusion / recon beacon pattern.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / node-stack-frames

No fixed version published yet for node-stack-frames (npm). Pin to a known-safe version or switch to an alternative.

References

https://www.npmjs.com/package/node-stack-frames/v/4.0.0 [PACKAGE]