MAL-2026-10634
Malicious code in estore-client (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (6f5f2a664c7576b3cbf04696ddff717d8b3e9b835693035fa56a23035edef411) package.json declares a preinstall lifecycle script that runs wget against https://webhook.site/d32804ac-1bbb-4100-ab60-95231dd3251c/, sending the installer's OS username ($(whoami)), current working directory ($(pwd)), and hostname ($(hostname)) as query parameters. This fires automatically on `npm install` before any user code runs. webhook.site is an anonymous request-collector service; the destination is not associated with a legitimate publisher endpoint. The behavior is host reconnaissance / beaconing consistent with a supply-chain recon stage.
Are you affected?
Enter the version of the package you're using.
Affected packages
No fixed version published yet for estore-client (npm). Pin to a known-safe version or switch to an alternative.