—

MAL-2026-6241

Malicious code in atlasora-shared (npm)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (e1bd49976f774ef8357d29c74bc366b851e69a611cc5894f1a59621d91f9daba) package.json declares `"postinstall": "node install.js"`, causing install.js to run automatically on `npm install`. install.js requires `https`, `fs`, `os`, and `child_process`, collects host identifiers via `os.hostname()` and `os.userInfo()`, executes shell commands via `execSync(...)`, probes filesystem paths with `fs.existsSync(...)`, and POSTs the collected data to a remote endpoint via `https.request(...)`. This is the canonical install-time system-information exfiltration pattern: identifying data is gathered from the installer's machine and beaconed outbound on every install, with no documented purpose tied to the package's stated function. Installing this package automatically leaks host and user information to an external destination.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / atlasora-shared

No fixed version published yet for atlasora-shared (npm). Pin to a known-safe version or switch to an alternative.

References

https://www.npmjs.com/package/atlasora-shared/v/1.0.0 [PACKAGE]