MAL-2026-10397: Malicious code in @car_loans/dealerships-approval (npm)
The npm package @car_loans/dealerships-approval version 7.1.5 contains malicious code embedded in a heavily obfuscated postinstall script. Upon installation, the script downloads and executes attacker-controlled code without user interaction, collects host fingerprinting data, and exfiltrates it via HTTP POST and DNS tunneling. The package masquerades as an internal browserslist config and exhibits dependency confusion tactics by using a suspicious scope and non-existent domain URLs. This results in immediate code execution and data exfiltration on any machine that installs this package from the public registry.
AI Analysis
Technical Summary
@car_loans/dealerships-approval 7.1.5 is a malicious npm package that disguises itself as a browserslist config but includes an obfuscated postinstall script. This script downloads a remote payload in base64 fragments, decrypts it using RC4, writes it to disk with executable permissions, and runs it detached from the install process. It collects system information such as hostname, username, platform, architecture, package name/version, and an event tag, then exfiltrates this data via HTTP POST to a remote host. Additionally, it uses DNS resolution calls with encoded fingerprint data as a covert DNS tunnel to bypass HTTP egress filtering. The package also uses dependency confusion by presenting itself as an internal package with a fake scope and instructing users to point npm configuration to a non-existent domain, enabling attackers to trigger install-time code execution and data theft on targeted organizations.
Potential Impact
This malicious package enables attackers to execute arbitrary code on the installer's machine without user interaction during npm install. It also collects and exfiltrates sensitive host fingerprinting information, potentially compromising the security and privacy of the affected system. The use of DNS tunneling for data exfiltration may evade traditional network monitoring and filtering controls. The dependency confusion technique increases the risk of inadvertent installation in targeted environments, leading to immediate compromise.
Mitigation Recommendations
No official patch or remediation is currently available for this malicious package. Users and organizations should avoid installing @car_loans/dealerships-approval version 7.1.5 and any packages from the suspicious @car_loans scope. Review and restrict npm registry sources to trusted repositories only. Monitor for and remove any instances of this package from development and production environments. Since this is a malicious package published to the public npm registry, consider reporting it to npm security teams for takedown and further investigation. Patch status is not yet confirmed — check the vendor advisory or npm security advisories for current remediation guidance.
MAL-2026-10397: Malicious code in @car_loans/dealerships-approval (npm)
Description
The npm package @car_loans/dealerships-approval version 7.1.5 contains malicious code embedded in a heavily obfuscated postinstall script. Upon installation, the script downloads and executes attacker-controlled code without user interaction, collects host fingerprinting data, and exfiltrates it via HTTP POST and DNS tunneling. The package masquerades as an internal browserslist config and exhibits dependency confusion tactics by using a suspicious scope and non-existent domain URLs. This results in immediate code execution and data exfiltration on any machine that installs this package from the public registry.
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
@car_loans/dealerships-approval 7.1.5 is a malicious npm package that disguises itself as a browserslist config but includes an obfuscated postinstall script. This script downloads a remote payload in base64 fragments, decrypts it using RC4, writes it to disk with executable permissions, and runs it detached from the install process. It collects system information such as hostname, username, platform, architecture, package name/version, and an event tag, then exfiltrates this data via HTTP POST to a remote host. Additionally, it uses DNS resolution calls with encoded fingerprint data as a covert DNS tunnel to bypass HTTP egress filtering. The package also uses dependency confusion by presenting itself as an internal package with a fake scope and instructing users to point npm configuration to a non-existent domain, enabling attackers to trigger install-time code execution and data theft on targeted organizations.
Potential Impact
This malicious package enables attackers to execute arbitrary code on the installer's machine without user interaction during npm install. It also collects and exfiltrates sensitive host fingerprinting information, potentially compromising the security and privacy of the affected system. The use of DNS tunneling for data exfiltration may evade traditional network monitoring and filtering controls. The dependency confusion technique increases the risk of inadvertent installation in targeted environments, leading to immediate compromise.
Mitigation Recommendations
No official patch or remediation is currently available for this malicious package. Users and organizations should avoid installing @car_loans/dealerships-approval version 7.1.5 and any packages from the suspicious @car_loans scope. Review and restrict npm registry sources to trusted repositories only. Monitor for and remove any instances of this package from development and production environments. Since this is a malicious package published to the public npm registry, consider reporting it to npm security teams for takedown and further investigation. Patch status is not yet confirmed — check the vendor advisory or npm security advisories for current remediation guidance.
Technical Details
- Gcve Source
- db.gcve.eu
- Osv Id
- MAL-2026-10397
- Osv Schema Version
- 1.7.4
- Aliases
- []
- Ecosystems
- ["npm"]
- Database Specific Severity
- null
- Cvss Version
- null
Threat ID: 6a54adf168715ace438f6cc9
Added to database: 07/13/2026, 09:20:49 UTC
Last enriched: 07/13/2026, 09:50:31 UTC
Last updated: 07/13/2026, 09:50:31 UTC
Views: 2
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.