—

MAL-2026-5763

Malicious code in npm-sandbox-research-g3h4 (npm)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (5e119a878730c42d27b9ec21adae1cbc6e044f1d6703c152010b5261647f1a3a) On install, package.json's postinstall hook executes run.js. The package ships beacon15.js and beacon_linux.js, which import child_process, os, and http and issue outbound HTTP requests carrying host identifiers. beacon_linux.js reads os.hostname() and os.platform() and POSTs them via http.request(); beacon15.js similarly issues GET/http.request() calls referencing host id fields. The combination of a lifecycle hook that runs on every install plus modules that collect host metadata and beacon it outbound matches an install-time host-exfiltration / C2 callback pattern with no legitimate documented purpose.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / npm-sandbox-research-g3h4

No fixed version published yet for npm-sandbox-research-g3h4 (npm). Pin to a known-safe version or switch to an alternative.

References

https://www.npmjs.com/package/npm-sandbox-research-g3h4/v/1.0.0 [PACKAGE]