MAL-2026-10200: Malicious code in api-changelly (npm)
The npm package 'api-changelly' version 19.2.11 is a malicious package impersonating the Changelly crypto-exchange brand. It contains no legitimate functionality and executes a script during installation that collects detailed system and user information, including hostname, platform, architecture, user details, and command outputs of 'whoami' and 'id'. This information is sent to a hardcoded external server. The package is designed as a reconnaissance beacon, likely targeting internal build systems via dependency confusion.
AI Analysis
Technical Summary
The 'api-changelly' npm package version 19.2.11 contains malicious code that runs automatically on installation via a 'preinstall' script executing 'node index.js'. This script collects installer environment details such as OS hostname, platform, architecture, user information, and executes system commands 'whoami' and 'id' to gather user identity data. The collected data is serialized into JSON and exfiltrated via an HTTP POST request to a hardcoded Burp Collaborator subdomain. The package impersonates the legitimate Changelly brand but provides no legitimate functionality, serving as a reconnaissance beacon in dependency confusion attacks targeting internal build systems that may mistakenly resolve private dependencies to this public malicious package.
Potential Impact
The malicious package exfiltrates sensitive environment and user identity information from systems where it is installed. This can lead to reconnaissance data leakage that may facilitate further targeted attacks or unauthorized access within internal networks. There is no indication of direct code execution beyond the data collection and exfiltration behavior described.
Mitigation Recommendations
No official patch or remediation is indicated for this package. The best mitigation is to avoid installing the 'api-changelly' package version 19.2.11 and audit dependency sources to prevent dependency confusion attacks. Use trusted package registries and verify package authenticity before installation. Monitor and restrict network egress to prevent unauthorized data exfiltration where possible.
MAL-2026-10200: Malicious code in api-changelly (npm)
Description
The npm package 'api-changelly' version 19.2.11 is a malicious package impersonating the Changelly crypto-exchange brand. It contains no legitimate functionality and executes a script during installation that collects detailed system and user information, including hostname, platform, architecture, user details, and command outputs of 'whoami' and 'id'. This information is sent to a hardcoded external server. The package is designed as a reconnaissance beacon, likely targeting internal build systems via dependency confusion.
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The 'api-changelly' npm package version 19.2.11 contains malicious code that runs automatically on installation via a 'preinstall' script executing 'node index.js'. This script collects installer environment details such as OS hostname, platform, architecture, user information, and executes system commands 'whoami' and 'id' to gather user identity data. The collected data is serialized into JSON and exfiltrated via an HTTP POST request to a hardcoded Burp Collaborator subdomain. The package impersonates the legitimate Changelly brand but provides no legitimate functionality, serving as a reconnaissance beacon in dependency confusion attacks targeting internal build systems that may mistakenly resolve private dependencies to this public malicious package.
Potential Impact
The malicious package exfiltrates sensitive environment and user identity information from systems where it is installed. This can lead to reconnaissance data leakage that may facilitate further targeted attacks or unauthorized access within internal networks. There is no indication of direct code execution beyond the data collection and exfiltration behavior described.
Mitigation Recommendations
No official patch or remediation is indicated for this package. The best mitigation is to avoid installing the 'api-changelly' package version 19.2.11 and audit dependency sources to prevent dependency confusion attacks. Use trusted package registries and verify package authenticity before installation. Monitor and restrict network egress to prevent unauthorized data exfiltration where possible.
Technical Details
- Gcve Source
- db.gcve.eu
- Osv Id
- MAL-2026-10200
- Osv Schema Version
- 1.7.4
- Aliases
- []
- Ecosystems
- ["npm"]
- Database Specific Severity
- null
- Cvss Version
- null
Threat ID: 6a54ae1068715ace438f8d03
Added to database: 07/13/2026, 09:21:20 UTC
Last enriched: 07/13/2026, 09:59:01 UTC
Last updated: 07/14/2026, 03:32:57 UTC
Views: 7
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.