MAL-2026-7003: Malicious code in searchresults (npm)
The npm package 'searchresults' version 999.0.0 is a malicious dependency confusion squatting package. It executes code automatically during installation that collects detailed system and CI environment information, including sensitive credentials if present, and exfiltrates this data to attacker-controlled endpoints. The package uses DNS-based fallback to bypass HTTP egress filtering. Installing this package can lead to full system compromise and exposure of secrets. Immediate removal and credential rotation are strongly advised.
AI Analysis
Technical Summary
The 'searchresults' npm package at version 999.0.0 is a high-version dependency confusion squatting package designed to execute malicious code automatically during installation via preinstall and postinstall scripts running 'node callback.js'. This script collects installer identity data (username, uid/gid, home directory, shell, hostname, platform, current working directory, local and external IP addresses) and CI environment variables (GITHUB_REPOSITORY, GITHUB_ACTOR, JENKINS_URL, BUILD_NUMBER). It probes for monetizable credentials such as AWS_ACCESS_KEY_ID, GITHUB_TOKEN, NPM_TOKEN, and DOCKER_PASSWORD and reports all collected information to a hardcoded Discord webhook and a callback URL. To evade HTTP egress filtering, it also encodes the data in base64 and sends it via DNS lookups to the attacker's domain. The package's version and generic name are crafted to supersede internal private packages, enabling arbitrary organizations to inadvertently execute malicious code during npm install. Despite self-labeling as a 'security research PoC', this does not imply consent from the installer. The presence of this package indicates a full compromise, requiring immediate secret rotation and package removal.
Potential Impact
Installation of this package results in automatic execution of malicious code that exfiltrates sensitive system and CI environment information, including potentially monetizable credentials. This leads to full compromise of the affected system, with attacker access to secrets and keys. The attacker can bypass HTTP egress filtering using DNS-based data exfiltration. Even after removal, the system may remain compromised due to potential persistence mechanisms.
Mitigation Recommendations
No official patch or fix is available for this malicious package. Immediate removal of the 'searchresults' package version 999.0.0 is required. All secrets and credentials (AWS keys, GitHub tokens, NPM tokens, Docker passwords) on the affected system must be rotated from a separate, trusted environment. Organizations should audit their package dependencies to avoid installing high-version squatting packages and implement controls to prevent dependency confusion attacks. Monitor for any unauthorized access or persistence on affected systems.
MAL-2026-7003: Malicious code in searchresults (npm)
Description
The npm package 'searchresults' version 999.0.0 is a malicious dependency confusion squatting package. It executes code automatically during installation that collects detailed system and CI environment information, including sensitive credentials if present, and exfiltrates this data to attacker-controlled endpoints. The package uses DNS-based fallback to bypass HTTP egress filtering. Installing this package can lead to full system compromise and exposure of secrets. Immediate removal and credential rotation are strongly advised.
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The 'searchresults' npm package at version 999.0.0 is a high-version dependency confusion squatting package designed to execute malicious code automatically during installation via preinstall and postinstall scripts running 'node callback.js'. This script collects installer identity data (username, uid/gid, home directory, shell, hostname, platform, current working directory, local and external IP addresses) and CI environment variables (GITHUB_REPOSITORY, GITHUB_ACTOR, JENKINS_URL, BUILD_NUMBER). It probes for monetizable credentials such as AWS_ACCESS_KEY_ID, GITHUB_TOKEN, NPM_TOKEN, and DOCKER_PASSWORD and reports all collected information to a hardcoded Discord webhook and a callback URL. To evade HTTP egress filtering, it also encodes the data in base64 and sends it via DNS lookups to the attacker's domain. The package's version and generic name are crafted to supersede internal private packages, enabling arbitrary organizations to inadvertently execute malicious code during npm install. Despite self-labeling as a 'security research PoC', this does not imply consent from the installer. The presence of this package indicates a full compromise, requiring immediate secret rotation and package removal.
Potential Impact
Installation of this package results in automatic execution of malicious code that exfiltrates sensitive system and CI environment information, including potentially monetizable credentials. This leads to full compromise of the affected system, with attacker access to secrets and keys. The attacker can bypass HTTP egress filtering using DNS-based data exfiltration. Even after removal, the system may remain compromised due to potential persistence mechanisms.
Mitigation Recommendations
No official patch or fix is available for this malicious package. Immediate removal of the 'searchresults' package version 999.0.0 is required. All secrets and credentials (AWS keys, GitHub tokens, NPM tokens, Docker passwords) on the affected system must be rotated from a separate, trusted environment. Organizations should audit their package dependencies to avoid installing high-version squatting packages and implement controls to prevent dependency confusion attacks. Monitor for any unauthorized access or persistence on affected systems.
Technical Details
- Gcve Source
- db.gcve.eu
- Osv Id
- MAL-2026-7003
- Osv Schema Version
- 1.7.4
- Aliases
- ["GHSA-cpff-p65h-24c4"]
- Ecosystems
- ["npm"]
- Database Specific Severity
- null
- Cvss Version
- null
Threat ID: 6a50ba2f68715ace4357cfd3
Added to database: 07/10/2026, 09:23:59 UTC
Last enriched: 07/10/2026, 09:29:18 UTC
Last updated: 07/10/2026, 09:29:18 UTC
Views: 2
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.