VDB
KO

MAL-2026-10478

Malicious code in @sectest429/hello-npm-world (npm)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (479b9303d76a49dfacb402f0a906e32686b5d276e23f429678150e73e506550d) The package advertises a single function `module.exports = function hello(name)` but ships a `preinstall.js` lifecycle script that runs automatically on `npm install` and performs reconnaissance unrelated to the advertised functionality. The script collects OS username, hostname, platform/arch, and the full running process list (`ps -eo comm=` on POSIX, `tasklist /fo csv /nh` on Windows), and issues an HTTP PUT to the AWS EC2 link-local IMDSv2 token endpoint at `169.254.169.254/latest/api/token` followed by a fetch of `/latest/meta-data/instance-id`. Results are written to `./exfil.log` in the installer's working directory. The file's own header comment self-describes as a 'SECURITY DEMO payload' proving that a trojanized package gets code execution at install time. Even though the current version writes locally rather than transmitting, the recon chain (process enumeration + cloud-instance fingerprinting) has no relationship to a hello-world library, runs without consent on every install, and pollutes the consumer's CWD with an artifact.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / @sectest429/hello-npm-world

No fixed version published yet for @sectest429/hello-npm-world (npm). Pin to a known-safe version or switch to an alternative.

References