MAL-2026-10683: Malicious code in formatters.ts (npm)
The npm package 'formatters.ts' version 14.2.1 contains malicious code that executes during installation. It runs a preinstall hook executing index.js, which collects detailed host and user system information and sends it to a hardcoded external server. The package appears to be a dependency-confusion typosquat with empty metadata, designed solely to perform reconnaissance on the victim's environment.
AI Analysis
Technical Summary
The 'formatters.ts' npm package version 14.2.1 includes a preinstall script that executes index.js upon installation. This script gathers extensive system information including hostname, platform, architecture, home directory, user details (username, uid, gid, shell), OS release, memory, CPU count, and command outputs from 'whoami', 'id', and 'pwd'. It then sends this data as a JSON payload to a hardcoded Burp Collaborator subdomain at https://y43nklho48nnebq8qpmw3ngha8gz4pse.oastify.com/detox56. The package mimics a legitimate formatter/TypeScript module but lacks author and description metadata, consistent with a dependency confusion typosquatting attack aimed at reconnaissance during install time.
Potential Impact
The malicious package collects sensitive host and user environment information and exfiltrates it to an attacker-controlled server. This reconnaissance data could be used to inform further targeted attacks or compromise attempts. There is no indication of code execution beyond data collection or persistence mechanisms, and no known exploits in the wild have been reported.
Mitigation Recommendations
No official patch or remediation is currently available. Users should avoid installing the 'formatters.ts' package version 14.2.1 from untrusted sources. Verify package authenticity before installation, especially for packages with empty or suspicious metadata. Consider using package integrity verification and dependency audit tools to detect and block typosquatting or malicious packages.
MAL-2026-10683: Malicious code in formatters.ts (npm)
Description
The npm package 'formatters.ts' version 14.2.1 contains malicious code that executes during installation. It runs a preinstall hook executing index.js, which collects detailed host and user system information and sends it to a hardcoded external server. The package appears to be a dependency-confusion typosquat with empty metadata, designed solely to perform reconnaissance on the victim's environment.
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The 'formatters.ts' npm package version 14.2.1 includes a preinstall script that executes index.js upon installation. This script gathers extensive system information including hostname, platform, architecture, home directory, user details (username, uid, gid, shell), OS release, memory, CPU count, and command outputs from 'whoami', 'id', and 'pwd'. It then sends this data as a JSON payload to a hardcoded Burp Collaborator subdomain at https://y43nklho48nnebq8qpmw3ngha8gz4pse.oastify.com/detox56. The package mimics a legitimate formatter/TypeScript module but lacks author and description metadata, consistent with a dependency confusion typosquatting attack aimed at reconnaissance during install time.
Potential Impact
The malicious package collects sensitive host and user environment information and exfiltrates it to an attacker-controlled server. This reconnaissance data could be used to inform further targeted attacks or compromise attempts. There is no indication of code execution beyond data collection or persistence mechanisms, and no known exploits in the wild have been reported.
Mitigation Recommendations
No official patch or remediation is currently available. Users should avoid installing the 'formatters.ts' package version 14.2.1 from untrusted sources. Verify package authenticity before installation, especially for packages with empty or suspicious metadata. Consider using package integrity verification and dependency audit tools to detect and block typosquatting or malicious packages.
Technical Details
- Gcve Source
- db.gcve.eu
- Osv Id
- MAL-2026-10683
- Osv Schema Version
- 1.7.4
- Aliases
- []
- Ecosystems
- ["npm"]
- Database Specific Severity
- null
- Cvss Version
- null
Threat ID: 6a58b51b68715ace43db4794
Added to database: 07/16/2026, 10:40:27 UTC
Last enriched: 07/16/2026, 14:31:06 UTC
Last updated: 07/16/2026, 22:16:59 UTC
Views: 11
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.