VDB
KO

MAL-2026-6756

Malicious code in vps-maintenance (npm)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (110b8556d612185c2c6ea84731898d4f23f04658556e1ff22852f953b956e43a) The package.json `postinstall` script executes a Node one-liner that opens a TCP connection to the hardcoded IP 185.112.147.174 on port 7007 and spawns `/bin/sh` with its stdio piped through the socket. Because npm auto-runs `postinstall` during `npm install`, any installer machine that runs `npm install vps-maintenance` immediately hands an interactive shell to whoever operates that endpoint, yielding arbitrary remote code execution as the installing user. There is no legitimate install-time use for a bare-IP shell bridge — this is a reverse-shell dropper, not a build helper, runtime fetch, or native-addon step. The package name (`vps-maintenance`) is a cover story; the actual behavior is a backdoor.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / vps-maintenance

No fixed version published yet for vps-maintenance (npm). Pin to a known-safe version or switch to an alternative.

References