—

MAL-2026-6090

Malicious code in data-utils-bcf2 (npm)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (52e6ddf4cbc1a035918a5bd136c865ff526f430db21268d75d3c90fa74196fdf) The package declares a postinstall lifecycle hook ("postinstall": "node run.js" in package.json) that automatically executes run.js on install. run.js imports os, fs, http, https, and child_process, collects host identifying information (os.hostname(), os.platform()), reads files from disk (fs.readFileSync, fs.existsSync), and issues multiple POST requests over HTTP/HTTPS (run.js lines 134, 137, 348, 355). The combination of automatic install-time execution, host fingerprinting, filesystem reads, and outbound POSTs is the canonical install-time exfiltration shape. Installing this package on a developer machine or CI runner will run the reconnaissance and exfiltration code without user interaction.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / data-utils-bcf2

No fixed version published yet for data-utils-bcf2 (npm). Pin to a known-safe version or switch to an alternative.

References

https://www.npmjs.com/package/data-utils-bcf2/v/1.0.0 [PACKAGE]