MAL-2026-6953
Malicious code in whs4_pnm (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (47d72187d8b59a9a40cb8397d064bc7319b20e19ee7d48b870432bd96952b089) The package declares a postinstall script (`node index.js`) that runs unconditionally on `npm install`. The script POSTs the absolute `__filename` path (which contains the installer's OS username via the home-directory prefix), the Node.js version, and the platform/architecture to a hardcoded Discord webhook at `https://discord.com/api/webhooks/1523336123319849031/...`. There is no opt-in, disclosure, or configuration option — every install silently transmits host-identifying data to an author-controlled endpoint. The package's own README and default internal `packageName` value (`whs4_typo`) indicate the package is positioned as a typo-target beacon, matching the typosquat-with-callback pattern where the attacker collects fingerprints of developers who mistype a legitimate package name.
## Source: ghsa-malware (6c7538f81810e9802a2f2a45995000376e76177b2eb21d1c6e8aea63942a330d) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.
Are you affected?
Enter the version of the package you're using.
Affected packages
0 No fixed version published yet for whs4_pnm (npm). Pin to a known-safe version or switch to an alternative.