—

MAL-2026-6237

Malicious code in atlasora-api (npm)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (9776899942c749b493911ca4e33c3b4967308a816e167bd3ee90c95800632f92) Package declares a postinstall hook ("postinstall": "node install.js") that runs install.js automatically on `npm install`. install.js imports https, fs, os, and child_process and collects host identifiers including os.hostname() and os.userInfo(), uses execSync for additional system enumeration, probes filesystem paths via fs.existsSync, and POSTs the collected data over an outbound https.request. This is the canonical install-time host-reconnaissance / exfiltration pattern: the package's only effect on installation is to harvest system identity and ship it off-host. There is no documented library functionality justifying the network beacon at install time.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / atlasora-api

No fixed version published yet for atlasora-api (npm). Pin to a known-safe version or switch to an alternative.

References

https://www.npmjs.com/package/atlasora-api/v/1.0.0 [PACKAGE]