—

MAL-2026-4732

Malicious code in workrally (npm)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (502275ca25c6fb0e28db57d91789be11e347b5f21696ed45e15c015d123eaf51) dist/index.js imports child_process and runs `whoami` (observed at multiple call sites), then POSTs the result to a hardcoded remote URL `https://workrally.qq.com`. This is the classic host-identity exfiltration shape: gather installer-side identity via `whoami` and ship it to an attacker-controlled destination. The destination is a literal in the bundle (not a default parameter or user-configurable endpoint), and the package's stated purpose does not justify reporting host identity off-machine. Installing or loading this package leaks the installer's username/host to the operator of workrally.qq.com.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / workrally

No fixed version published yet for workrally (npm). Pin to a known-safe version or switch to an alternative.

References

https://www.npmjs.com/package/workrally/v/2.4.0 [PACKAGE]