MAL-2026-10107
Malicious code in security-node (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (2450dc325921e41fd15c24339c29dc86bef36424dd6f8447c07cffd219f3955a) package.json declares the package's own name as both a dependency and devDependency pointing to http://pack.nppacks.com/npm/security-node, a non-npm-registry host served over plaintext HTTP. On `npm install`, npm fetches whatever tarball that URL currently serves and installs it as node_modules/security-node, replacing the registry-published contents with code delivered from a mutable third-party host over an unauthenticated channel. This bypasses registry-side scanning and version pinning; the operator of pack.nppacks.com (or any on-path MITM against the plain-HTTP fetch) controls the code that lands in the installer's node_modules on every install. The shipped index.js itself is a benign Babel DefinePlugin-style transform with a self-declared 'Security Research Testing Purpose' header comment, but the tarball substitution mechanism is the installer-harm surface, independent of the current in-tarball code.
Are you affected?
Enter the version of the package you're using.
Affected packages
No fixed version published yet for security-node (npm). Pin to a known-safe version or switch to an alternative.