MAL-2026-6565: Malicious code in @uisp/utils (npm)
The @uisp/utils npm package versions 99.0.0, 99.0.1, and 99.0.2 contain malicious code that executes automatically during installation. The package's preinstall script runs a command to identify the host user and exfiltrates this information encoded via DNS and HTTPS requests to an attacker-controlled server. This results in remote code execution at install time and leakage of host identity information.
AI Analysis
Technical Summary
The @uisp/utils package published to the public npm registry under the @uisp scope at versions 99.0.0, 99.0.1, and 99.0.2 includes a preinstall script that executes 'node beacon.js'. This script runs 'whoami' via child_process.execSync and sends the base64-encoded output to a hardcoded Burp Collaborator domain through DNS lookups and HTTPS GET requests. Installing this package from the public registry or any misconfigured registry that falls back to it causes automatic execution of attacker-controlled code on the build host and leaks host identity information to an external collector. The README's claim of authorized research does not mitigate the risk or consent for this behavior.
Potential Impact
Installation of affected versions of the @uisp/utils package results in remote code execution on the build host at install time and exfiltration of sensitive host identity information to an external attacker-controlled server. This compromises the security and privacy of the build environment and may facilitate further attacks.
Mitigation Recommendations
No official patch or fix is currently available. Users should avoid installing the affected versions (=99.0.0, =99.0.1, =99.0.2) of the @uisp/utils package from the public npm registry. Verify registry configurations to prevent fallback to the public registry for private packages. Monitor for updates from the package maintainers or npm advisories for remediation guidance.
MAL-2026-6565: Malicious code in @uisp/utils (npm)
Description
The @uisp/utils npm package versions 99.0.0, 99.0.1, and 99.0.2 contain malicious code that executes automatically during installation. The package's preinstall script runs a command to identify the host user and exfiltrates this information encoded via DNS and HTTPS requests to an attacker-controlled server. This results in remote code execution at install time and leakage of host identity information.
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The @uisp/utils package published to the public npm registry under the @uisp scope at versions 99.0.0, 99.0.1, and 99.0.2 includes a preinstall script that executes 'node beacon.js'. This script runs 'whoami' via child_process.execSync and sends the base64-encoded output to a hardcoded Burp Collaborator domain through DNS lookups and HTTPS GET requests. Installing this package from the public registry or any misconfigured registry that falls back to it causes automatic execution of attacker-controlled code on the build host and leaks host identity information to an external collector. The README's claim of authorized research does not mitigate the risk or consent for this behavior.
Potential Impact
Installation of affected versions of the @uisp/utils package results in remote code execution on the build host at install time and exfiltration of sensitive host identity information to an external attacker-controlled server. This compromises the security and privacy of the build environment and may facilitate further attacks.
Mitigation Recommendations
No official patch or fix is currently available. Users should avoid installing the affected versions (=99.0.0, =99.0.1, =99.0.2) of the @uisp/utils package from the public npm registry. Verify registry configurations to prevent fallback to the public registry for private packages. Monitor for updates from the package maintainers or npm advisories for remediation guidance.
Technical Details
- Gcve Source
- db.gcve.eu
- Osv Id
- MAL-2026-6565
- Osv Schema Version
- 1.7.4
- Aliases
- []
- Ecosystems
- ["npm"]
- Database Specific Severity
- null
- Cvss Version
- null
Threat ID: 6a42ed7827e9c797199395d0
Added to database: 06/29/2026, 22:11:04 UTC
Last enriched: 06/29/2026, 22:41:28 UTC
Last updated: 06/30/2026, 00:54:17 UTC
Views: 2
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.