Skip to main content
Press slash or control plus K to focus the search. Use the arrow keys to navigate results and press enter to open a threat.
Reconnecting to live updates…

MAL-2026-10397: Malicious code in @car_loans/dealerships-approval (npm)

0
Critical
Published: 07/13/2026 (07/13/2026, 05:13:48 UTC)
Source: GCVE Database
Product: @car_loans/dealerships-approval

Description

The npm package @car_loans/dealerships-approval version 7.1.5 contains malicious code embedded in a heavily obfuscated postinstall script. Upon installation, the script downloads and executes attacker-controlled code without user interaction, collects host fingerprinting data, and exfiltrates it via HTTP POST and DNS tunneling. The package masquerades as an internal browserslist config and exhibits dependency confusion tactics by using a suspicious scope and non-existent domain URLs. This results in immediate code execution and data exfiltration on any machine that installs this package from the public registry.

Affected software

npmghsa
@car_loans/dealerships-approval
Affected versions
=7.1.5

Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.

AI-Powered Analysis

Machine-generated threat intelligence

AILast updated: 07/13/2026, 09:50:31 UTC

Technical Analysis

@car_loans/dealerships-approval 7.1.5 is a malicious npm package that disguises itself as a browserslist config but includes an obfuscated postinstall script. This script downloads a remote payload in base64 fragments, decrypts it using RC4, writes it to disk with executable permissions, and runs it detached from the install process. It collects system information such as hostname, username, platform, architecture, package name/version, and an event tag, then exfiltrates this data via HTTP POST to a remote host. Additionally, it uses DNS resolution calls with encoded fingerprint data as a covert DNS tunnel to bypass HTTP egress filtering. The package also uses dependency confusion by presenting itself as an internal package with a fake scope and instructing users to point npm configuration to a non-existent domain, enabling attackers to trigger install-time code execution and data theft on targeted organizations.

Potential Impact

This malicious package enables attackers to execute arbitrary code on the installer's machine without user interaction during npm install. It also collects and exfiltrates sensitive host fingerprinting information, potentially compromising the security and privacy of the affected system. The use of DNS tunneling for data exfiltration may evade traditional network monitoring and filtering controls. The dependency confusion technique increases the risk of inadvertent installation in targeted environments, leading to immediate compromise.

Mitigation Recommendations

No official patch or remediation is currently available for this malicious package. Users and organizations should avoid installing @car_loans/dealerships-approval version 7.1.5 and any packages from the suspicious @car_loans scope. Review and restrict npm registry sources to trusted repositories only. Monitor for and remove any instances of this package from development and production environments. Since this is a malicious package published to the public npm registry, consider reporting it to npm security teams for takedown and further investigation. Patch status is not yet confirmed — check the vendor advisory or npm security advisories for current remediation guidance.

Pro Console: star threats, build custom feeds, automate alerts via Slack, email & webhooks.Upgrade to Pro

Technical Details

Gcve Source
db.gcve.eu
Osv Id
MAL-2026-10397
Osv Schema Version
1.7.4
Aliases
[]
Ecosystems
["npm"]
Database Specific Severity
null
Cvss Version
null

Threat ID: 6a54adf168715ace438f6cc9

Added to database: 07/13/2026, 09:20:49 UTC

Last enriched: 07/13/2026, 09:50:31 UTC

Last updated: 07/13/2026, 09:50:31 UTC

Views: 2

Community Reviews

0 reviews

Crowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.

Sort by
Loading community insights…

Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.

Actions

PRO

Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.

Please log in to the Console to use AI analysis features.

Need more coverage?

Upgrade to Pro Console for AI refresh and higher limits.

For incident response and remediation, OffSeq services can help resolve threats faster.

Latest Threats

Breach by OffSeqOFFSEQFRIENDS — 25% OFF

Check if your credentials are on the dark web

Instant breach scanning across billions of leaked records. Free tier available.

Scan now
OffSeq TrainingCredly Certified

Lead Pen Test Professional

Technical5-day eLearningPECB Accredited
View courses