The package is marked as malware by OSV: MAL-2026-1234 with source: amazon-inspector

Note: This report is updated by a verification record

The package exhibits multiple strong indicators of malicious behavior. Both index.js and setup.py collect and exfiltrate sensitive system information (hostname, username, current directory, DNS servers, package information) to suspicious oastify.com domains. The LLM-based analysis confirms this exfiltration and flags the hostnames as suspicious. Additionally, the YARA rules nodejs_phone_home, nodejs_phone_home_interact_sh, burp_collab, and pysetup_gets_login are triggered, further supporting the malicious assessment. The file dependency1337-1.0.0.tar.gz has very high entropy, and dependency1337-1.0.0-py3-none-any.whl extension doesn't match its content, which are also suspicious.