MAL-2026-6577: Malicious code in int_sezzle_sfra (npm)
The npm package int_sezzle_sfra version 25.2.1 contains malicious code that executes automatically during installation. It collects sensitive host information such as hostname, OS details, user identity, and shell command outputs, then sends this data to an attacker-controlled external server. The package name mimics a legitimate Salesforce Commerce Cloud cartridge, indicating a dependency confusion attack. This results in unconsented data exfiltration from the installer's environment.
AI Analysis
Technical Summary
The int_sezzle_sfra npm package version 25.2.1 includes a preinstall script (node index.js) that runs automatically on npm install. This script gathers host reconnaissance data including hostname, operating system information, username, user and group IDs, shell, home directory, current working directory, and the output of 'whoami' and 'id' commands executed via child_process.exec. The collected data is sent as JSON to a hardcoded Burp Collaborator OAST subdomain controlled by the attacker. The package's naming mimics Sezzle's internal Salesforce Commerce Cloud cartridge, consistent with a dependency confusion attack targeting private vendor packages. This leads to unauthorized exfiltration of sensitive environment information from the installer machine.
Potential Impact
Installing this malicious package causes unconsented exfiltration of sensitive host and user information to an attacker-controlled server. This compromises the privacy and security of the installer's environment and could facilitate further targeted attacks. There is no indication of remote code execution beyond the install-time script or direct system compromise, but the data leakage itself is a significant privacy and security risk.
Mitigation Recommendations
No official patch or remediation is currently documented. Users should avoid installing the int_sezzle_sfra package version 25.2.1 from untrusted sources. Verify package authenticity before installation, especially for packages mimicking internal vendor names. Monitor for updates from the vendor or npm registry regarding removal or replacement of the malicious package. Patch status is not yet confirmed — check the vendor advisory or npm security advisories for current remediation guidance.
MAL-2026-6577: Malicious code in int_sezzle_sfra (npm)
Description
The npm package int_sezzle_sfra version 25.2.1 contains malicious code that executes automatically during installation. It collects sensitive host information such as hostname, OS details, user identity, and shell command outputs, then sends this data to an attacker-controlled external server. The package name mimics a legitimate Salesforce Commerce Cloud cartridge, indicating a dependency confusion attack. This results in unconsented data exfiltration from the installer's environment.
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The int_sezzle_sfra npm package version 25.2.1 includes a preinstall script (node index.js) that runs automatically on npm install. This script gathers host reconnaissance data including hostname, operating system information, username, user and group IDs, shell, home directory, current working directory, and the output of 'whoami' and 'id' commands executed via child_process.exec. The collected data is sent as JSON to a hardcoded Burp Collaborator OAST subdomain controlled by the attacker. The package's naming mimics Sezzle's internal Salesforce Commerce Cloud cartridge, consistent with a dependency confusion attack targeting private vendor packages. This leads to unauthorized exfiltration of sensitive environment information from the installer machine.
Potential Impact
Installing this malicious package causes unconsented exfiltration of sensitive host and user information to an attacker-controlled server. This compromises the privacy and security of the installer's environment and could facilitate further targeted attacks. There is no indication of remote code execution beyond the install-time script or direct system compromise, but the data leakage itself is a significant privacy and security risk.
Mitigation Recommendations
No official patch or remediation is currently documented. Users should avoid installing the int_sezzle_sfra package version 25.2.1 from untrusted sources. Verify package authenticity before installation, especially for packages mimicking internal vendor names. Monitor for updates from the vendor or npm registry regarding removal or replacement of the malicious package. Patch status is not yet confirmed — check the vendor advisory or npm security advisories for current remediation guidance.
Technical Details
- Gcve Source
- db.gcve.eu
- Osv Id
- MAL-2026-6577
- Osv Schema Version
- 1.7.4
- Aliases
- []
- Ecosystems
- ["npm"]
- Database Specific Severity
- null
- Cvss Version
- null
Threat ID: 6a42ed7627e9c79719939579
Added to database: 06/29/2026, 22:11:02 UTC
Last enriched: 06/29/2026, 22:40:37 UTC
Last updated: 06/30/2026, 00:47:11 UTC
Views: 3
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.