VDB
KO

MAL-2026-10214

Malicious code in babel-preset-lib-client (npm)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (4274de0136aa69f8b0f4eba03412c7809a1b8c2446bb3ed7f6de1333475aa4c4) index.js, the package main, runs a load-time IIFE that collects OS platform and architecture, hostname, username, private and public IP (via https://api.ipify.org), current working directory, the full output of `printenv` (base64-encoded), and the base64-encoded output of `tree../`, then POSTs the aggregated payload to a hardcoded Discord webhook at https://discord.com/api/webhooks/1524917003394089029/. The package name mimics the babel-preset naming convention but the code implements no Babel functionality; author, description, and keywords are empty. Any consumer that installs and requires this package leaks its full process environment (typically including NPM_TOKEN, AWS_*, GITHUB_TOKEN, and other CI/developer secrets) plus a listing of the parent directory to the attacker-controlled Discord channel.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / babel-preset-lib-client

No fixed version published yet for babel-preset-lib-client (npm). Pin to a known-safe version or switch to an alternative.

References