Malicious code in axl-ui (npm)

---

__

Source: amazon-inspector (6fbc071f0ee6323c87fa6be049a9b151217f7146605ef89b4494f7ef07e7d534)

axl-ui@9.9.99 is a dependency-confusion squat targeting an internal package name. package.json declares a postinstall hook (node beacon.js) that fires automatically on npm install. beacon.js reads os.hostname() and transmits it to a hardcoded Burp Collaborator out-of-band host (tspeuj1fodn3cj8v30uck2fs4jaby1mq.oastify.com) via two channels: a DNS lookup of <nonce>.host.<collaborator> and an HTTPS POST with JSON body {pkg, nonce, host}. The version number 9.9.99 and the self-described "internal placeholder" description are the canonical dependency-confusion shape: any private build that resolves axl-ui from public npm will execute the beacon and leak the host identity to the attacker. Even if framed as a research proof-of-concept, the harm to installers is real — installer-side data leaves the build machine to an attacker-controlled endpoint without consent.

Source: ossf-package-analysis (aca109fdc13102e60179b8d6c63a996da233e4910b6260da8838df727f33a64f)

The OpenSSF Package Analysis project identified 'axl-ui' @ 9.9.99 (npm) as malicious.

It is considered malicious because:

• The package communicates with a domain associated with malicious activity.