Skip to main content
Press slash or control plus K to focus the search. Use the arrow keys to navigate results and press enter to open a threat.
Reconnecting to live updates…

MAL-2026-10096: Malicious code in guest-app-ui (npm)

0
High
Published: 07/09/2026 (07/09/2026, 20:43:04 UTC)
Source: GCVE Database
Product: guest-app-ui

Description

The guest-app-ui npm package version 99.0.0 contains malicious code that executes during installation. It collects host identifiers such as hostname, user environment variables, current working directory, platform details, and internal IP addresses. This data is encoded and sent to a hardcoded external server via DNS queries and HTTP/HTTPS POST requests, with TLS verification disabled for HTTPS. The package uses a name that can cause dependency confusion, potentially leading organizations with private packages of the same name to inadvertently install this malicious public package. The malicious behavior is unconditional and not gated by any authorization checks.

Affected software

npmghsa
guest-app-ui
Affected versions
=99.0.0

Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.

AI-Powered Analysis

Machine-generated threat intelligence

AILast updated: 07/10/2026, 10:00:00 UTC

Technical Analysis

The guest-app-ui package published on npm as version 99.0.0 is a malicious artifact designed to exploit dependency confusion by using an unclaimed internal package name. Its installation scripts (preinstall and postinstall lifecycle hooks) execute a callback that collects detailed host fingerprinting information including hostname, user environment variables, directory paths, platform and network details. This information is base64url-encoded and exfiltrated to a hardcoded external host via three redundant channels: DNS subdomain queries, HTTP POST, and HTTPS POST with disabled TLS verification. This unconditional data exfiltration occurs on every installation of this package version, posing a privacy and security risk to affected systems.

Potential Impact

Hosts that install guest-app-ui version 99.0.0 will have sensitive system and environment information collected and transmitted to an external attacker-controlled server. This can lead to exposure of internal network details and user environment data, potentially facilitating further targeted attacks or reconnaissance. The malicious package exploits dependency confusion, increasing the risk of inadvertent installation in organizations using private registries without strict package scoping or pinning.

Mitigation Recommendations

No official patch or fix is currently available for this malicious package version. Organizations should audit their package dependencies and private registries to ensure that no unscoped or unpinned references to guest-app-ui exist that could cause this malicious version to be installed. Avoid installing or updating to guest-app-ui version 99.0.0 from public npm registries. Implement strict package scoping and registry pinning to prevent dependency confusion attacks. Monitor and block network communications to the identified malicious host 4li9yfz7.instances.httpworkbench.com.

Pro Console: star threats, build custom feeds, automate alerts via Slack, email & webhooks.Upgrade to Pro

Technical Details

Gcve Source
db.gcve.eu
Osv Id
MAL-2026-10096
Osv Schema Version
1.7.4
Aliases
[]
Ecosystems
["npm"]
Database Specific Severity
null
Cvss Version
null

Threat ID: 6a50ba7768715ace43580556

Added to database: 07/10/2026, 09:25:11 UTC

Last enriched: 07/10/2026, 10:00:00 UTC

Last updated: 07/10/2026, 12:10:06 UTC

Views: 4

Community Reviews

0 reviews

Crowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.

Sort by
Loading community insights…

Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.

Actions

PRO

Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.

Please log in to the Console to use AI analysis features.

Need more coverage?

Upgrade to Pro Console for AI refresh and higher limits.

For incident response and remediation, OffSeq services can help resolve threats faster.

Latest Threats

Breach by OffSeqOFFSEQFRIENDS — 25% OFF

Check if your credentials are on the dark web

Instant breach scanning across billions of leaked records. Free tier available.

Scan now
OffSeq TrainingCredly Certified

Lead Pen Test Professional

Technical5-day eLearningPECB Accredited
View courses