{"id":"MAL-2026-3639","summary":"Malicious code in briantreehttp (npm)","details":"`briantreehttp` is a typosquatting package impersonating `braintreehttp`, the HTTP client library published by Braintree/PayPal. The package bundles the legitimate library source to appear functional while hiding a credential-theft payload in `index1.js`, which is executed at install time via the `postinstall` script.\n\nThe payload collects hostname, platform, architecture, Node.js version, UID, current working directory, all environment variables, AWS credentials (`~/.aws/credentials`, `~/.aws/config`), npm tokens from `.npmrc` files (root, home, and working directory), Docker config (`~/.docker/config.json`), git config, `.netrc`, yarn config, npm global config, directory listings of the working directory, home, filesystem root, and `/etc`, network configuration files (`/etc/resolv.conf`, `/etc/hosts`, `/proc/net/route`), and AWS ECS/EC2 instance metadata from internal endpoints. All collected data is base64-encoded and exfiltrated via HTTPS POST to `reportviewer.click/collect/`. A secondary DNS-based exfiltration channel encodes environment variables into a subdomain and issues a request to `dns.reportviewer.click`.","modified":"2026-05-13T08:50:49.835570Z","published":"2026-05-11T00:00:00Z","database_specific":{"malicious-packages-origins":null},"affected":[{"package":{"name":"briantreehttp","ecosystem":"npm","purl":"pkg:npm/briantreehttp"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"}]}],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/briantreehttp/MAL-2026-3639.json"}}],"schema_version":"1.7.5","credits":[{"name":"SafeDep","contact":["https://safedep.io"],"type":"FINDER"}]}