MAL-2026-10478
Malicious code in @sectest429/hello-npm-world (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (479b9303d76a49dfacb402f0a906e32686b5d276e23f429678150e73e506550d) The package advertises a single function `module.exports = function hello(name)` but ships a `preinstall.js` lifecycle script that runs automatically on `npm install` and performs reconnaissance unrelated to the advertised functionality. The script collects OS username, hostname, platform/arch, and the full running process list (`ps -eo comm=` on POSIX, `tasklist /fo csv /nh` on Windows), and issues an HTTP PUT to the AWS EC2 link-local IMDSv2 token endpoint at `169.254.169.254/latest/api/token` followed by a fetch of `/latest/meta-data/instance-id`. Results are written to `./exfil.log` in the installer's working directory. The file's own header comment self-describes as a 'SECURITY DEMO payload' proving that a trojanized package gets code execution at install time. Even though the current version writes locally rather than transmitting, the recon chain (process enumeration + cloud-instance fingerprinting) has no relationship to a hello-world library, runs without consent on every install, and pollutes the consumer's CWD with an artifact.
Are you affected?
Enter the version of the package you're using.
Affected packages
No fixed version published yet for @sectest429/hello-npm-world (npm). Pin to a known-safe version or switch to an alternative.