MAL-2026-10740
Malicious code in myreviews-core (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (9c41d5d4352e265f0efbc0089a19c5773ceeb76c0265831eeeeca19151fe4f64) package.json declares a postinstall lifecycle hook that runs `node -e` to issue an HTTPS GET to a hardcoded webhook.site collector URL, appending the installer's hostname (`os.hostname()`), OS username (`os.userInfo().username`), current working directory (`process.cwd()`), and a timestamp as query parameters. The request fires automatically on `npm install` with no opt-in and no relation to any documented package functionality. The version number (99.0.0) is consistent with a dependency-confusion lure intended to shadow an internal package name and beacon successful installs to the attacker.
Are you affected?
Enter the version of the package you're using.
Affected packages
No fixed version published yet for myreviews-core (npm). Pin to a known-safe version or switch to an alternative.