—

MAL-2026-5733

Malicious code in node-app-doctor (npm)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (addccbccd4c3c52cd67098a571ed77a4f55ea2303746f421b22b5bbf175a345e) collect.js gathers host identifiers via os.hostname() and os.homedir(), reads local filesystem state with fs.existsSync, spawns child_process commands, and POSTs the collected data to the hardcoded endpoint http://aab.sportsontheweb.net. The destination domain is unrelated to any legitimate npm/Node tooling publisher and there is no plausible benign reason for a 'node app doctor' utility to ship installer/host telemetry to that host. The combination of system enumeration (hostname, home directory, child_process), filesystem inspection, and hardcoded plaintext HTTP POST to an unaffiliated domain is the standard host-fingerprint exfiltration shape.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / node-app-doctor

No fixed version published yet for node-app-doctor (npm). Pin to a known-safe version or switch to an alternative.

References

https://www.npmjs.com/package/node-app-doctor/v/1.0.9 [PACKAGE]
https://www.npmjs.com/package/node-app-doctor/v/1.0.1 [PACKAGE]
https://www.npmjs.com/package/node-app-doctor/v/1.0.2 [PACKAGE]