npm

api-changelly @19.2.11

Vulnerability report · Last retrieved from osv.dev July 12, 2026 at 11:38 PM UTC

Malicious

OSV ID

MAL-2026-10200

Ecosystem

npm

Summary

The package declares preinstall: node index.js , which runs automatically on npm install . index.js collects installer identifiers (os.hostname(), os.platform(), os.arch(), os.userInfo() username/uid/gid/shell, home directory, cwd) and executes whoami and id via child_process.exec, capturing their output. The combined JSON payload is POSTed to a hardcoded Burp Collaborator subdomain https://1439tg4d02vixhxuj0gadpml4ca3ytmi.oastify.com/detox56 . The package name api-changelly impersonates the Changelly crypto-exchange brand and ships no legitimate functionality — the only behavior is the install-time beacon. This is the canonical dependency-confusion / reconnaissance-beacon shape targeting internal build systems that may resolve a private changelly -family dependency to this public package.

Source: amazon-inspector (a94f4aa368f1838507a78dde78062b740a5853b516d9d32782d0264b539b724c)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.