VDB
KO

MAL-2026-7011

Malicious code in events-alias (npm)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (164642716a755117674746c1c2534b0ac47d56bed2348e7a800c3d37a98074e9) The package's preinstall hook ("node index.js") runs automatically on `npm install` and executes an exfiltration payload. index.js requires child_process, os, http, and https, collects the installer's hostname, platform, arch, home directory, user info (username/uid/gid/shell), the output of `whoami`/`id`, and cwd, then POSTs the JSON payload to a hardcoded Burp Collaborator subdomain at https://s70v1tcmg3npuykzzok5t0tdz45vtlha.oastify.com/detox56. The package name 'events-alias' mimics the ubiquitous Node core 'events' module namespace but ships only this install-time recon/exfil payload; an undeclared ~10KB binary blob named 'i' also ships in the tarball but is not referenced from the executed code. Installing this package leaks installer identity/host reconnaissance data to attacker-controlled infrastructure.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / events-alias

No fixed version published yet for events-alias (npm). Pin to a known-safe version or switch to an alternative.

References