—

MAL-2026-5986

Malicious code in npm-sandbox-ping-r9t2 (npm)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (335649d395a44d7de1bc6343dbce1f0459414ef92ab149413a86b47e28f3c7c3) package.json declares a postinstall hook ("postinstall": "node run.js") that auto-executes on install. The package ships beacon scripts (beacon14.js, beacon_linux.js) that import child_process and http/os, run shell commands such as whoami, read process.env, process.platform, os.hostname(), os.platform(), and transmit the collected host/identity data via http.request GET/POST to a remote endpoint. The data flow (system enumeration -> outbound HTTP) and the install-time auto-execution together constitute a credential/host-info exfiltration beacon. Installer harm: any machine that runs `npm install npm-sandbox-ping-r9t2` will silently execute these beacons and leak local identity/environment information to a remote endpoint.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / npm-sandbox-ping-r9t2

No fixed version published yet for npm-sandbox-ping-r9t2 (npm). Pin to a known-safe version or switch to an alternative.

References

https://www.npmjs.com/package/npm-sandbox-ping-r9t2/v/1.0.0 [PACKAGE]