MAL-2026-10085: Malicious code in dependency_confusions (npm)
The npm package 'dependency_confusions' version 99.9.9 contains malicious code that executes automatically upon installation via a postinstall hook. This code collects sensitive environment information including the installer's OS username, hostname, current working directory, local IPv4 address, and platform, then sends this data to a hardcoded external webhook. This behavior facilitates reconnaissance for dependency confusion attacks by revealing internal build host details and private package namespaces without user consent.
AI Analysis
Technical Summary
The 'dependency_confusions' npm package version 99.9.9 includes a postinstall lifecycle hook that runs index.js on npm install. This script gathers environment details such as os.userInfo(), os.hostname(), current working directory, local IPv4 address, and platform, then exfiltrates this information as JSON to a hardcoded webhook.site URL. This automatic data exfiltration matches known patterns of dependency confusion reconnaissance, enabling attackers to identify internal infrastructure and private package namespaces to target subsequent attacks against private registries.
Potential Impact
The malicious postinstall script leaks sensitive environment information from the victim's build environment, including usernames, hostnames, directory paths, and network addresses. This information disclosure can aid attackers in crafting targeted dependency confusion attacks against private package registries, potentially leading to further compromise of internal systems or supply chain attacks.
Mitigation Recommendations
No official patch or remediation is currently documented. Users should avoid installing the affected version (=99.9.9) of the 'dependency_confusions' package. Review and audit package dependencies for unexpected lifecycle scripts, especially postinstall hooks that perform network communications. Consider using package integrity verification and restricting installation of untrusted packages to prevent similar malicious code execution.
MAL-2026-10085: Malicious code in dependency_confusions (npm)
Description
The npm package 'dependency_confusions' version 99.9.9 contains malicious code that executes automatically upon installation via a postinstall hook. This code collects sensitive environment information including the installer's OS username, hostname, current working directory, local IPv4 address, and platform, then sends this data to a hardcoded external webhook. This behavior facilitates reconnaissance for dependency confusion attacks by revealing internal build host details and private package namespaces without user consent.
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The 'dependency_confusions' npm package version 99.9.9 includes a postinstall lifecycle hook that runs index.js on npm install. This script gathers environment details such as os.userInfo(), os.hostname(), current working directory, local IPv4 address, and platform, then exfiltrates this information as JSON to a hardcoded webhook.site URL. This automatic data exfiltration matches known patterns of dependency confusion reconnaissance, enabling attackers to identify internal infrastructure and private package namespaces to target subsequent attacks against private registries.
Potential Impact
The malicious postinstall script leaks sensitive environment information from the victim's build environment, including usernames, hostnames, directory paths, and network addresses. This information disclosure can aid attackers in crafting targeted dependency confusion attacks against private package registries, potentially leading to further compromise of internal systems or supply chain attacks.
Mitigation Recommendations
No official patch or remediation is currently documented. Users should avoid installing the affected version (=99.9.9) of the 'dependency_confusions' package. Review and audit package dependencies for unexpected lifecycle scripts, especially postinstall hooks that perform network communications. Consider using package integrity verification and restricting installation of untrusted packages to prevent similar malicious code execution.
Technical Details
- Gcve Source
- db.gcve.eu
- Osv Id
- MAL-2026-10085
- Osv Schema Version
- 1.7.4
- Aliases
- []
- Ecosystems
- ["npm"]
- Database Specific Severity
- null
- Cvss Version
- null
Threat ID: 6a50ba8e68715ace435820f4
Added to database: 07/10/2026, 09:25:34 UTC
Last enriched: 07/10/2026, 10:07:08 UTC
Last updated: 07/10/2026, 10:07:08 UTC
Views: 2
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.