MAL-2026-7000
Malicious code in pipo-sdk (npm)
상세
--- _-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (259159c0505b819905dcaf53172d98a4fd590a9ae1a40f87d2be4c1a7fdc4065) This package is a dependency-confusion payload published at an abnormally high version (9999.0.0) targeting an internal package name (`pipo-sdk`). The `preinstall` lifecycle hook runs `node callback.js || true`, which collects host identity — hostname, username, platform, and current working directory — via `os.hostname()`, `os.userInfo()`, and `os.platform()`, and transmits that data to `pbnuwvwzmktaetcsjyyjlhncsf843r5a5.oast.fun` by two channels: (a) a DNS resolution of a subdomain encoding the collected fields under the OAST domain, and (b) an HTTPS POST of a JSON body containing the same fields. Any host that runs `npm install` — for example, an internal build system whose resolver picks the public 9999.0.0 over a legitimate internal version — will silently beacon its identity to the third-party OAST endpoint. The bug-bounty / research framing in the package metadata does not change the installer-side behavior: unsolicited host-identity exfiltration fires on install regardless of consent, and the resolver-hijack version pin ensures the payload is preferred over legitimate internal artifacts.
이 버전이 영향받나요?
사용 중인 패키지 버전을 입력하면 즉시 평가합니다.
영향 패키지
No fixed version published yet for pipo-sdk (npm). Pin to a known-safe version or switch to an alternative.