—

MAL-2026-6123

Malicious code in @onum-releases/auth (npm)

상세

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (22d4bde1772d506f812e112fb8d6bfbf6a6f187dd823640f2cf15811f0d0633a) On `require('@onum-releases/auth')`, index.js reads `os.hostname()` and issues an HTTP GET to `auth.<hostname>.200majoeu01dk02xnjdajro1isojc90y.oastify.com`, transmitting the installer's host identifier to a Burp Collaborator out-of-band domain via both DNS resolution and HTTP. The package.json self-identifies as a 'dependency-confusion / scope-takeover demonstration' placeholder under the @onum-releases scope, so any build that mistakenly resolves an internal `@onum-releases/*` name to the public registry will leak its hostname to a third-party collaborator endpoint. Although labeled a PoC, the import-time beacon performs unconsented exfiltration of installer-side data to an attacker-controlled domain.

이 버전이 영향받나요?

사용 중인 패키지 버전을 입력하면 즉시 평가합니다.

영향 패키지

npm / @onum-releases/auth

No fixed version published yet for @onum-releases/auth (npm). Pin to a known-safe version or switch to an alternative.

참고

https://www.npmjs.com/package/@onum-releases/auth/v/1.0.3 [PACKAGE]
https://www.npmjs.com/package/@onum-releases/auth/v/1.0.1 [PACKAGE]
https://www.npmjs.com/package/@onum-releases/auth/v/1.0.2 [PACKAGE]