{"id":"MAL-2026-10183","summary":"Malicious code in fkext-browser-min (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (1e56088bc1216133ce76ad6026b73c2fd6977f9c64ec1c2ab38234dc90403b2c)\nThe package runs vishu.js as a preinstall lifecycle hook on `npm install`. That script fetches the machine's public IP from api.ipify.org, collects os.hostname() and GitHub Actions / CI environment variables (GITHUB_*), and transmits them as query parameters to a hardcoded webhook.site collector URL over HTTPS. It additionally performs a DNS lookup of a subdomain of the form `ping-\u003chostname\u003e.\u003ccollaborator\u003e.oastify.com`, providing an out-of-band exfiltration channel (Burp Collaborator style) that bypasses HTTP egress filters. There is no legitimate functionality shipped alongside this — the package's only install-time effect is host reconnaissance and beacon-out to attacker-controlled sinks. This is a dependency-confusion / bug-bounty-style beacon against installer/CI environments.\n","modified":"2026-07-10T23:01:53.599676029Z","published":"2026-07-10T22:43:30Z","database_specific":{"malicious-packages-origins":[{"versions":["1.0.14"],"sha256":"1e56088bc1216133ce76ad6026b73c2fd6977f9c64ec1c2ab38234dc90403b2c","modified_time":"2026-07-10T22:43:30Z","id":"IN-MAL-2026-009728","import_time":"2026-07-10T22:50:19.244634627Z","source":"amazon-inspector"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/fkext-browser-min/v/1.0.14"}],"affected":[{"package":{"name":"fkext-browser-min","ecosystem":"npm","purl":"pkg:npm/fkext-browser-min"},"versions":["1.0.14"],"database_specific":{"indicators":{"package_integrity":[{"hashes":{"sha512_sri":"sha512-F5c2Lb6QIXFu+3ldBEdQ3gOZ9b+aOHDYbx8cXRSCgQAmPyrNjZRoHMHL7ZOJY+CeS20rE+Z4rFKAbE+U4hNAWg==","sha1":"956d600ab58369d4f8abe1eb7b363df2092d4b65"},"filename":"fkext-browser-min-1.0.14.tgz"}],"evidence_files":[{"sha256":"148b5be8544f83525c7442f450050b49d7bb467ee17d3b5df9d23c4f39663f8c","path":"vishu.js","tlsh":"7831104db2f7551004f263c8561b951e715be1533325dda1799c02521faad3c82e3bd8"}]},"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/fkext-browser-min/MAL-2026-10183.json","cwes":[{"cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code"}]}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}