—

MAL-2026-6077

Malicious code in ebpf-tracker-action (npm)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (f51f94366660f50b3ffaacedda1e956035ca8a7e5e0cadc33f2aefc20dd8a6a3) package.json declares `preinstall: node index.js`, which fires automatically on `npm install`. index.js collects hostname (os.hostname()), username (os.userInfo()), homedir, DNS servers, and package paths, reads /etc/passwd and /etc/hosts via fs.readFileSync, and HTTPS-POSTs the JSON payload to 66az91mywqmmbqau9k79bum1us0jo9cy.oastify.com (a Burp Collaborator subdomain). Package metadata (empty author, empty description, generic CI-flavored name `ebpf-tracker-action`) is consistent with a dependency-confusion attack targeting an internal package name. Any machine that installs this package leaks system identity and local account data to an attacker-controlled host at install time.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / ebpf-tracker-action

No fixed version published yet for ebpf-tracker-action (npm). Pin to a known-safe version or switch to an alternative.

References

https://www.npmjs.com/package/ebpf-tracker-action/v/1.0.1 [PACKAGE]