VDB
KO

MAL-2026-10509

Malicious code in test_adminet (npm)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (e1971734ce6221624b53d3647a5881c1fe0bc7f8ae4d383a5ff2a9f5080da57c) The package's package.json declares a preinstall hook that runs index.js. On npm install, index.js uses child_process.exec to curl-POST installer identifiers ($(whoami), $(hostname), id output) together with the contents of /etc/passwd, /etc/hosts, and /etc/shadow (base64-encoded and stuffed into the User-Agent header) to a hardcoded webhook.site endpoint. The /etc/shadow read attempts to harvest local password hashes; if the install runs as root (common in CI/Docker), hashes are transmitted off-host. Behavior fires automatically on default npm install with no user interaction.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / test_adminet

No fixed version published yet for test_adminet (npm). Pin to a known-safe version or switch to an alternative.

References