MAL-2026-6986
Malicious code in @luminarycloudinternal/frodo (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (58ed68e675b2b6cde30e6b7c8e34077eda805a4bde64ca7cd2c68c6f4370ee5f) Package published under a scope shadowing internal Luminary Cloud packages (@luminarycloudinternal) at version 9999.0.1 — the canonical dependency-confusion shape designed to win version resolution over a private internal package of the same name. On install, postinstall.js (line 8) performs an HTTPS GET to a hardcoded external host (poc-luminary-npm-1782987043.testingboxes.com) carrying installer-owned CI and host identifiers: GITHUB_REPOSITORY, GITHUB_SHA, GITHUB_REF, GITHUB_WORKFLOW, RUNNER_NAME, os.hostname(), and npm user-agent. When a build system misresolves the internal name to the public registry, this postinstall runs automatically and discloses internal repository, workflow, commit, and runner identifiers to a third-party endpoint. The package self-identifies as a Bugcrowd research canary, but self-labeling does not change the mechanism: installer-owned metadata leaves the machine at install time to a non-first-party destination via a namespace-squat.
Are you affected?
Enter the version of the package you're using.
Affected packages
No fixed version published yet for @luminarycloudinternal/frodo (npm). Pin to a known-safe version or switch to an alternative.