MAL-2026-10509
Malicious code in test_adminet (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (e1971734ce6221624b53d3647a5881c1fe0bc7f8ae4d383a5ff2a9f5080da57c) The package's package.json declares a preinstall hook that runs index.js. On npm install, index.js uses child_process.exec to curl-POST installer identifiers ($(whoami), $(hostname), id output) together with the contents of /etc/passwd, /etc/hosts, and /etc/shadow (base64-encoded and stuffed into the User-Agent header) to a hardcoded webhook.site endpoint. The /etc/shadow read attempts to harvest local password hashes; if the install runs as root (common in CI/Docker), hashes are transmitted off-host. Behavior fires automatically on default npm install with no user interaction.
Are you affected?
Enter the version of the package you're using.
Affected packages
No fixed version published yet for test_adminet (npm). Pin to a known-safe version or switch to an alternative.