MAL-2026-10678: Malicious code in ls-env-config (npm)
The npm package ls-env-config version 1.0.5 contains malicious code that executes automatically during installation via a preinstall script. This script runs an index.js file that performs an HTTP GET request to a third-party collaborator domain, confirming code execution on the installer's machine and leaking host and network information. This behavior is consistent with a dependency-confusion probe, causing unintended network callbacks to an external host on every install.
AI Analysis
Technical Summary
The ls-env-config npm package version 1.0.5 declares a preinstall script that executes node ./index.js automatically when the package is installed. This script issues an HTTP GET request to a Burp-Collaborator-style subdomain at a third-party domain (collaborator.zivyelab.com), confirming code execution on the installer's machine and leaking host and network reachability information. This pattern aligns with dependency-confusion probing techniques, resulting in network callbacks to a non-first-party host during installation.
Potential Impact
The malicious preinstall script causes arbitrary code execution on the machine installing the package, leading to information leakage about the host and network environment via HTTP and DNS callbacks to an external attacker-controlled domain. This compromises the confidentiality of the installer's environment and may facilitate further attacks or reconnaissance.
Mitigation Recommendations
No official patch or remediation is currently available for ls-env-config version 1.0.5. Users should avoid installing this package version and verify package authenticity before installation. Monitor vendor advisories for updates or fixes. Since this is not a cloud service, remediation depends on users not installing or removing the affected package.
MAL-2026-10678: Malicious code in ls-env-config (npm)
Description
The npm package ls-env-config version 1.0.5 contains malicious code that executes automatically during installation via a preinstall script. This script runs an index.js file that performs an HTTP GET request to a third-party collaborator domain, confirming code execution on the installer's machine and leaking host and network information. This behavior is consistent with a dependency-confusion probe, causing unintended network callbacks to an external host on every install.
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The ls-env-config npm package version 1.0.5 declares a preinstall script that executes node ./index.js automatically when the package is installed. This script issues an HTTP GET request to a Burp-Collaborator-style subdomain at a third-party domain (collaborator.zivyelab.com), confirming code execution on the installer's machine and leaking host and network reachability information. This pattern aligns with dependency-confusion probing techniques, resulting in network callbacks to a non-first-party host during installation.
Potential Impact
The malicious preinstall script causes arbitrary code execution on the machine installing the package, leading to information leakage about the host and network environment via HTTP and DNS callbacks to an external attacker-controlled domain. This compromises the confidentiality of the installer's environment and may facilitate further attacks or reconnaissance.
Mitigation Recommendations
No official patch or remediation is currently available for ls-env-config version 1.0.5. Users should avoid installing this package version and verify package authenticity before installation. Monitor vendor advisories for updates or fixes. Since this is not a cloud service, remediation depends on users not installing or removing the affected package.
Technical Details
- Gcve Source
- db.gcve.eu
- Osv Id
- MAL-2026-10678
- Osv Schema Version
- 1.7.4
- Aliases
- []
- Ecosystems
- ["npm"]
- Database Specific Severity
- null
- Cvss Version
- null
Threat ID: 6a577ec968715ace43b3ec0e
Added to database: 07/15/2026, 12:36:25 UTC
Last enriched: 07/15/2026, 12:39:16 UTC
Last updated: 07/15/2026, 12:39:16 UTC
Views: 2
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.