—

MAL-2026-5802

Malicious code in cardano-addresses-docs (npm)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (9d99ae2a620ac8a3db31cde344d6d1e46914f785b3d5f4b8debdb20d64fa9c75) package.json declares a preinstall hook (`node index.js`) that runs automatically on `npm install`. index.js collects host identifiers (os.hostname(), os.userInfo(), homedir, DNS servers, __dirname, full package.json) and reads /etc/passwd and /etc/hosts from the installer's machine, then HTTPS-POSTs the JSON payload to swsusmhg43tobo96re8dwn0vomudi46t.oastify.com — a Burp Collaborator out-of-band domain. The package has empty author, empty description, no real functionality, and a name impersonating the legitimate cardano-addresses Cardano library — consistent with a dependency-confusion / typosquat reconnaissance payload.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / cardano-addresses-docs

No fixed version published yet for cardano-addresses-docs (npm). Pin to a known-safe version or switch to an alternative.

References

https://www.npmjs.com/package/cardano-addresses-docs/v/1.0.1 [PACKAGE]