Malicious code in loadninja-shared (npm)

---

__

Source: amazon-inspector (dc01a627a5f67d1af201bfe6575973437cce899d9767312d44a40369dc16cc46)

loadninja-shared@9.9.99 is a dependency-confusion package targeting an internal/private package namespace. package.json declares "postinstall": "node beacon.js", which fires automatically on npm install. beacon.js reads os.hostname() and transmits it — together with a nonce and the package name — to the attacker-controlled out-of-band domain tspeuj1fodn3cj8v30uck2fs4jaby1mq.oastify.com (Burp Collaborator infrastructure) over both a DNS lookup (dns.lookup(NONCE + '.' + host63 + '.' + HOST,...)) and an HTTPS POST. The version 9.9.99 is the canonical high-version trick used to win npm resolution against a legitimate internal package of the same name, capturing misrouted internal builds. Although a code comment labels the file a "benign PoC," the behavior is identical to a live dependency-confusion exploitation beacon: any installer that resolves this package leaks its host identifier to a third-party callback domain without consent.

Source: ossf-package-analysis (1ead72fc15074f049a104031ef60cad8af0f0680d1bf5ffee1492f500a3506d8)

The OpenSSF Package Analysis project identified 'loadninja-shared' @ 9.9.99 (npm) as malicious.

It is considered malicious because:

• The package communicates with a domain associated with malicious activity.