VDB
KO

MAL-2026-7003

Malicious code in searchresults (npm)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (c7d5453a0b1576ed8880071cda901607e79f25378700d3f999ab2c9715e00635) searchresults@999.0.0 is a high-version dependency-confusion squat on the generic name 'searchresults'. package.json declares preinstall and postinstall = 'node callback.js', so on npm install callback.js executes automatically and collects installer identity (username, uid/gid, homedir, shell, os.hostname(), platform, cwd, local IP, external IP fetched from api.ipify.org) plus CI context (GITHUB_REPOSITORY, GITHUB_ACTOR, JENKINS_URL, BUILD_NUMBER) and POSTs it to a hardcoded Discord webhook and a callback URL. It additionally fingerprints which installers hold monetizable CI credentials by probing for presence of AWS_ACCESS_KEY_ID, GITHUB_TOKEN, NPM_TOKEN, and DOCKER_PASSWORD in the environment and reporting the result to the same webhook. A DNS-based fallback channel base64-encodes the collected info and issues a DNS lookup of that value as a subdomain of the callback host, bypassing HTTP egress filtering. The 999.0.0 version and generic name are engineered to win npm semver resolution against internally-named private packages, giving install-time code execution on arbitrary organizations. Self-labeling as 'security research PoC' does not constitute installer consent.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / searchresults

No fixed version published yet for searchresults (npm). Pin to a known-safe version or switch to an alternative.

References