—

MAL-2026-5760

Malicious code in npm-sandbox-research-c5d6 (npm)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (e7dd3f64f94b15f73c62c5733a5910802ff22adc514e0eb08e153817fcd4158b) The package declares a postinstall hook (`"postinstall": "node run.js"`) that executes automatically on `npm install`. The shipped beacon scripts (`beacon11.js`, `beacon_linux.js`) load `child_process`, `os`, and `http`, read host identifiers via `os.hostname()` and `os.platform()`, and issue outbound HTTP GET/POST requests carrying that data. This is the install-time host-fingerprinting and exfiltration shape: lifecycle execution + system-info collection + outbound network in a single chain, with no legitimate library functionality justifying the behavior.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / npm-sandbox-research-c5d6

No fixed version published yet for npm-sandbox-research-c5d6 (npm). Pin to a known-safe version or switch to an alternative.

References

https://www.npmjs.com/package/npm-sandbox-research-c5d6/v/1.0.0 [PACKAGE]