MAL-2026-10678
Malicious code in ls-env-config (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (db44619df34ccbffa5747f17c8135602583a781ec01f8d3c03e0f828157e944c) Package declares a `preinstall` script (`node./index.js`) that fires automatically on `npm install`. The executed `index.js` issues an HTTP GET to a Burp-Collaborator-style subdomain at `85324cf9ac5145428803ea[...].collaborator.zivyelab.com/hello01?test=01`. This confirms code execution on the installer's machine and a DNS/HTTP callback to a non-first-party host on every install, leaking host and network reachability information. The pattern is consistent with a dependency-confusion probe; regardless of stated intent, it executes on any installer and beacons to a third-party collaborator endpoint.
Are you affected?
Enter the version of the package you're using.
Affected packages
No fixed version published yet for ls-env-config (npm). Pin to a known-safe version or switch to an alternative.