—

MAL-2026-6124

Malicious code in @onum-releases/ixel (npm)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (188c65369497c00333fc54291c970071044f3237a255387903a707cfd2711599) On import, index.js reads os.hostname() and issues an HTTPS GET to `ixel.<hostname>.200majoeu01dk02xnjdajro1isojc90y.oastify.com/ixel` (oastify.com is Burp Suite's Collaborator out-of-band interaction domain). The hostname is embedded as a DNS subdomain label, so the DNS resolution alone leaks the installer's hostname to an attacker-controlled nameserver regardless of whether the HTTP request succeeds. Any developer machine or CI runner that `require()`s this package — directly or transitively — sends a host identifier to the operator of the configured Collaborator instance. The package.json description ("Security PoC placeholder - benign, no runtime payload") contradicts the shipped code, and the `@onum-releases` scope appears designed to resemble a legitimate vendor releases namespace.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / @onum-releases/ixel

No fixed version published yet for @onum-releases/ixel (npm). Pin to a known-safe version or switch to an alternative.

References

https://www.npmjs.com/package/@onum-releases/ixel/v/1.0.2 [PACKAGE]
https://www.npmjs.com/package/@onum-releases/ixel/v/1.0.3 [PACKAGE]
https://www.npmjs.com/package/@onum-releases/ixel/v/1.0.1 [PACKAGE]