@uisp/utils @99.0.2

Summary

Package published to the public npm registry under the @uisp scope at version 99.0.1 — the canonical dependency-confusion shape (organization-matching scope plus inflated version to outrank private internal releases). package.json declares scripts.preinstall="node beacon.js". beacon.js unconditionally runs child_process.execSync('whoami') and exfiltrates the base64-encoded output to a hardcoded Burp Collaborator host (w963dgom49n3ibi6677fuaxd64cv0loa.oastify.com) via both a DNS lookup of NONCE.<b64>.<collab> and an https.get to https://<collab>/<nonce>/whoami/<b64>. Installer harm: running npm install against the public registry (or any misconfigured registry resolution that falls through to it) auto-executes attacker code on the build host and leaks host identity to an external out-of-band collector. The README's claim of authorized research does not constitute consent for arbitrary installers and does not mitigate the install-time RCE + exfiltration mechanism.

Source: amazon-inspector (e841054b9f1d1625077178da23e8096c345ff196851058742d4903747d1461ea)