—

MAL-2026-5911

Malicious code in utils-common-helpers (npm)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (e6999f05f6036baf4f6d45de0c55c6dd63452dc59ab6ebcbad0ffebf93e60584) package.json declares a postinstall lifecycle hook that runs `curl -s http://8.140.205.78 -o /dev/null` on every install. The package's only functional code is a trivial `hello()` helper in index.js that returns the string 'hello', which is inconsistent with the declared purpose of 'Common utility helpers for frontend projects'. The lifecycle network call has no relation to any advertised functionality and serves only to disclose the installer's public IP address and install timing to the operator of the bare IP 8.140.205.78. This is a classic install-counter / victim-discovery beacon pattern: a throwaway lure package whose real purpose is the install-time callout. Plain HTTP to a bare IP (no TLS, no domain, no documented purpose) is inconsistent with any legitimate telemetry shape.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / utils-common-helpers

No fixed version published yet for utils-common-helpers (npm). Pin to a known-safe version or switch to an alternative.

References

https://www.npmjs.com/package/utils-common-helpers/v/1.0.0 [PACKAGE]