—

MAL-2026-6143

Malicious code in node-vfs-polyfill (npm)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (7fb213e524ed75dcb54961d6d2ee9431ea6a32f4fdcb9d777bc260102920d81b) On install, postinstall.js executes automatically and exfiltrates host reconnaissance data to attacker-controlled subdomains on oastify.com (Burp Collaborator), a domain commonly used for out-of-band data exfiltration. The script imports http, https, os, and child_process; calls os.hostname() and execSync() to gather system identifiers; and POSTs the collected data — including hostname, username, and version fields — to hardcoded endpoints such as http://xxxxxxxxx.oastify.com and http://rni4z9qkil62r9dcwosokhtgo7u9i76w.oastify.com. The package name suggests a generic VFS polyfill but the postinstall does no polyfill work; its sole observable effect on `npm install` is system-info exfiltration. This matches the dependency-confusion / reconnaissance beacon pattern.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / node-vfs-polyfill

No fixed version published yet for node-vfs-polyfill (npm). Pin to a known-safe version or switch to an alternative.

References

https://www.npmjs.com/package/node-vfs-polyfill/v/2.0.5 [PACKAGE]