Malicious code in node-stack-frames (npm)

__

Source: amazon-inspector (5fd4f6c5f3278484d99f6ffffc001cf920dcb0fa4fdfabff957a61c3cfbfc158)

package.json declares a preinstall script that runs an inline Node program on npm install. The script requires os and http, collects os.hostname(), os.platform(), and os.arch(), base64-encodes the result, and issues an HTTP GET to https://d8lslmi9io6i264ftj80mh9e7niqiaenf.oast.live/?data=<encoded>. The host is a Project Discovery interactsh (OAST) subdomain used as an out-of-band collection endpoint. The package ships no functional code — its own description identifies it as a security holding placeholder — so the only effect of installing it is the automatic exfiltration of installer host identifiers to an attacker-controlled collector. This matches a dependency-confusion / recon beacon pattern.