MAL-2026-5857
Malicious code in event-metrics-q3x7 (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (9b805c0ac88b45f49b1698fb9ea33e00767380544221d574a0da0e0f526d07f8) On install, package.json runs a postinstall hook (`node run.js`) that triggers beacon scripts (beacon20.js, beacon_linux.js) shipped in the tarball. The beacons load `child_process`, `os`, `https`, and `http`, gather host fingerprints (os.hostname(), os.platform(), process.platform, process.env) and command output via `exec(...)`, and transmit the data outbound — beacon_linux.js issues an `http.request(...)` POST containing host details, while beacon20.js performs `https.request(...)` calls including requests against the Azure management API endpoint. There is no advertised purpose that justifies a host-info beacon firing automatically at install time, and the data collected (env vars, hostname, platform, command output) is classic installer-side reconnaissance and credential-surface telemetry. Installing this package executes the beacon on `npm install` and leaks installer-machine information to the embedded destinations.
Are you affected?
Enter the version of the package you're using.
Affected packages
No fixed version published yet for event-metrics-q3x7 (npm). Pin to a known-safe version or switch to an alternative.
References
- https://www.npmjs.com/package/event-metrics-q3x7/v/1.0.2 [PACKAGE]
- https://www.npmjs.com/package/event-metrics-q3x7/v/1.0.1 [PACKAGE]
- https://www.npmjs.com/package/event-metrics-q3x7/v/1.0.7 [PACKAGE]
- https://www.npmjs.com/package/event-metrics-q3x7/v/1.0.8 [PACKAGE]
- https://www.npmjs.com/package/event-metrics-q3x7/v/1.0.3 [PACKAGE]
- https://www.npmjs.com/package/event-metrics-q3x7/v/1.0.5 [PACKAGE]
- https://www.npmjs.com/package/event-metrics-q3x7/v/1.0.4 [PACKAGE]
- https://www.npmjs.com/package/event-metrics-q3x7/v/1.0.0 [PACKAGE]
- https://www.npmjs.com/package/event-metrics-q3x7/v/1.0.6 [PACKAGE]