MAL-2026-6997
Malicious code in goofy-sdk (npm)
상세
--- _-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (779daa3389f4ff3ea7ca2acb4e0202b4465e90fa0d8b7bdcc0e3785f34e454a2) goofy-sdk@9999.0.0 is a dependency-confusion squat: the version is inflated to 9999.0.0 to shadow an internal package of the same name in build systems that resolve unscoped names against the public npm registry. On install, the package's preinstall hook executes callback.js, which reads os.hostname(), os.userInfo().username, process.platform, and process.cwd() and transmits them out-of-band to *.oast.fun (Interactsh OAST callback infrastructure) via a DNS subdomain-encoded lookup and an HTTPS POST. Any build system that mis-resolves the internal name to this public package will silently leak internal host identity to a third-party callback service. Self-declared bug-bounty/research framing does not change the installer-side impact — the harm (unconsented host-identity beacon on install) is the same regardless of motive.
이 버전이 영향받나요?
사용 중인 패키지 버전을 입력하면 즉시 평가합니다.
영향 패키지
No fixed version published yet for goofy-sdk (npm). Pin to a known-safe version or switch to an alternative.