—

MAL-2026-5738

Malicious code in postinstall-logger-7x9z (npm)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (6e89b603ffc718873a9d4c42167bf0c667c995cc2547bc9b99373ad4e9f0ca1e) On install, package.json's postinstall hook ("postinstall": "node run.js") triggers execution of bundled beacon scripts (beacon15.js and beacon_linux.js). These scripts pull in child_process, os, and http modules and issue outbound HTTP GET/POST requests carrying host identifiers including os.hostname() and os.platform(). The combination of automatic execution at install time, host-information collection, and outbound HTTP requests to a hardcoded destination is the canonical install-time exfiltration beacon shape. Any developer or CI system running `npm install` for this package will silently leak host data and execute code from the bundled scripts under the installing user's privileges.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / postinstall-logger-7x9z

No fixed version published yet for postinstall-logger-7x9z (npm). Pin to a known-safe version or switch to an alternative.

References

https://www.npmjs.com/package/postinstall-logger-7x9z/v/1.0.0 [PACKAGE]