—

MAL-2026-6371

Malicious code in llm-traces-app (npm)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (c0916c8694f396dfa0947df6e3b3d3966839a6e02d4a4f5b84f698787c446bdc) On `npm install`, the package's `preinstall` lifecycle hook runs `node index.js`, which collects host identity (`os.hostname()`, `os.userInfo()`, homedir, DNS servers, cwd) and reads the installer's `/etc/passwd` and `/etc/hosts`, then HTTPS POSTs the combined payload to `ltiyq4zyhrs88zgp5lef9hbec5i46uuj.oastify.com` — a Burp Collaborator (OAST) subdomain controlled by the package publisher. The exfiltration fires automatically on default install with no user interaction. Reading `/etc/passwd` enumerates the installer's local user accounts; the OAST destination provides the publisher with arbitrary out-of-band data capture. This is a textbook dependency-confusion / supply-chain exfiltration beacon.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / llm-traces-app

No fixed version published yet for llm-traces-app (npm). Pin to a known-safe version or switch to an alternative.

References

https://www.npmjs.com/package/llm-traces-app/v/1.0.1 [PACKAGE]