—

MAL-2026-6184

Malicious code in @qlab/component-intelligence (npm)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (9ad49caeee790003270d74c5b17a58d0cef6f04d881efe83b0f6c7e11515e934) package.json declares a preinstall hook (`"preinstall": "node index.js"`) that fires automatically on `npm install`. index.js requires os, dns, https, querystring, and the package's own package.json, then collects the installer's hostname (`os.hostname()`), username (`os.userInfo().username`), home directory (`os.homedir()`), configured DNS servers (`dns.getServers()`), current working directory, and the full contents of package.json, and POSTs them via HTTPS to the hardcoded webhook `https://eo1e4fhn1i67p8r.m.pipedream.net/`. This is the canonical dependency-confusion / recon-beacon shape: host identifiers and internal package metadata leave the machine unconditionally at install time to an attacker-controlled endpoint, giving the attacker reconnaissance data on internal package names, corporate hostnames, and user identities to fuel follow-on supply-chain attacks.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / @qlab/component-intelligence

No fixed version published yet for @qlab/component-intelligence (npm). Pin to a known-safe version or switch to an alternative.

References

https://www.npmjs.com/package/@qlab/component-intelligence/v/2.0.6 [PACKAGE]