VDB
KO

MAL-2026-10678

Malicious code in ls-env-config (npm)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (db44619df34ccbffa5747f17c8135602583a781ec01f8d3c03e0f828157e944c) Package declares a `preinstall` script (`node./index.js`) that fires automatically on `npm install`. The executed `index.js` issues an HTTP GET to a Burp-Collaborator-style subdomain at `85324cf9ac5145428803ea[...].collaborator.zivyelab.com/hello01?test=01`. This confirms code execution on the installer's machine and a DNS/HTTP callback to a non-first-party host on every install, leaking host and network reachability information. The pattern is consistent with a dependency-confusion probe; regardless of stated intent, it executes on any installer and beacons to a third-party collaborator endpoint.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / ls-env-config

No fixed version published yet for ls-env-config (npm). Pin to a known-safe version or switch to an alternative.

References