api-changelly @19.2.11
Vulnerability report · Last retrieved from osv.dev July 12, 2026 at 11:38 PM UTC
OSV ID
MAL-2026-10200
Ecosystem
npm
Summary
The package declares preinstall: node index.js , which runs automatically on npm install . index.js collects installer identifiers (os.hostname(), os.platform(), os.arch(), os.userInfo() username/uid/gid/shell, home directory, cwd) and executes whoami and id via child_process.exec, capturing their output. The combined JSON payload is POSTed to a hardcoded Burp Collaborator subdomain https://1439tg4d02vixhxuj0gadpml4ca3ytmi.oastify.com/detox56 . The package name api-changelly impersonates the Changelly crypto-exchange brand and ships no legitimate functionality — the only behavior is the install-time beacon. This is the canonical dependency-confusion / reconnaissance-beacon shape targeting internal build systems that may resolve a private changelly -family dependency to this public package.
Source: amazon-inspector (a94f4aa368f1838507a78dde78062b740a5853b516d9d32782d0264b539b724c)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.