MAL-2026-10159
Malicious code in npm-rce-safe-proof-yourname (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (f9fdedc15d959d978bd3563d29d16c5ab226d3c4fa4ab8b6fecf8bdf130e29ab) On `npm install`, postinstall.js runs `whoami`, reads `os.hostname()`, `process.platform`, and `process.version`, and transmits them via HTTPS GET to a hardcoded remote endpoint at https://testnpm.byte.eyes.sh/npm-proof. This fires automatically as a lifecycle hook with no user consent. The package's declared purpose (`npm script for showing date strings`) and its self-labeling as a 'safe proof' do not match the observed behavior — the code is a functional install-time identity beacon transmitting the installer's username and hostname to an author-controlled destination. Beaconing installer identity to a hardcoded third-party host on install is credential/identity leakage regardless of the 'proof' framing.
Are you affected?
Enter the version of the package you're using.
Affected packages
No fixed version published yet for npm-rce-safe-proof-yourname (npm). Pin to a known-safe version or switch to an alternative.