—

MAL-2026-5739

Malicious code in sheratan_haha (npm)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (6b473b40e0c041d34e85161ed8c91e0e00d006a0822698a0d3994876cb685ddd) On `npm install`, the package's declared postinstall hook (`node postinstall.js`) runs `whoami` on the installer's machine and POSTs the output to a hardcoded webhook.site endpoint (`https://webhook.site/0ea9eb45-3ede-4cf0-9ea9-2b8d700272e7`) via `https.request`. The package advertises itself as 'A simple date formatting utility' but ships no library code consistent with that purpose — the only behavior on install is host fingerprinting and exfiltration to an attacker-controlled URL. Metadata is placeholder-shaped (empty author, generic description, name `sheratan_haha`), consistent with a dependency-confusion / recon PoC. Installing this package leaks the installer's OS username to an external endpoint controlled by the publisher.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / sheratan_haha

No fixed version published yet for sheratan_haha (npm). Pin to a known-safe version or switch to an alternative.

References

https://www.npmjs.com/package/sheratan_haha/v/1.0.0 [PACKAGE]
https://www.npmjs.com/package/sheratan_haha/v/1.0.1 [PACKAGE]