—

MAL-2026-5758

Malicious code in npm-sandbox-research-8b2f (npm)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (916280d3906e0f04caa7f46135039e4a42b03a5c96091c1555ad2ab0e86b923b) On install, package.json runs `postinstall: node run.js`, which loads beacon scripts (beacon8.js, beacon_linux.js) that import child_process, os, and http, gather host identity (output of `whoami`, `os.hostname()`, `os.platform()`), and POST the collected data to a hardcoded HTTP endpoint via `http.request(...)`. This fires automatically on `npm install`, providing attacker-controlled reconnaissance of every installer host with no user interaction. The behavior — privileged shell command execution, host identity collection, and outbound HTTP POST from a postinstall hook — matches the active-attack reconnaissance/beacon fingerprint.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / npm-sandbox-research-8b2f

No fixed version published yet for npm-sandbox-research-8b2f (npm). Pin to a known-safe version or switch to an alternative.

References

https://www.npmjs.com/package/npm-sandbox-research-8b2f/v/1.0.0 [PACKAGE]