—

MAL-2026-5759

Malicious code in npm-sandbox-research-9c4e (npm)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (24c86d7d2179375f642423fc8c38f58f5740b543bacab149ba8d4cbdcd7dc4cf) On install, package.json runs `node run.js` via a postinstall lifecycle hook. The package ships beacon scripts (beacon9.js, beacon_linux.js) that import child_process, os, and http, collect host identity (os.hostname(), os.platform()) and issue outbound HTTP POST/GET requests. This is the canonical install-time host beacon / command-execution shape: arbitrary code runs on the installer's machine via `npm install`, host fingerprints are emitted over the network, and child_process is available to execute received instructions. The package name (`npm-sandbox-research-*`) and shipped contents are inconsistent with any legitimate library purpose.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / npm-sandbox-research-9c4e

No fixed version published yet for npm-sandbox-research-9c4e (npm). Pin to a known-safe version or switch to an alternative.

References

https://www.npmjs.com/package/npm-sandbox-research-9c4e/v/1.0.0 [PACKAGE]