VDB
KO

MAL-2026-7016

Malicious code in @vraksha/gh-helper (npm)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (8c867b4c68acc159dea1bbd580c5de3f3c9fef7bd1f54cd48a02c59631ffda12) On `npm install`, the package's postinstall hook runs index.js, which performs an HTTPS GET to https://http-logger-production.up.railway.app/payload, base64-decodes the response body (Buffer.from(data.trim(), 'base64').toString('utf-8')), and passes the decoded string to child_process.execSync with { shell: '/bin/bash' }. This is a fetch-decode-exec dropper: the executed content is attacker-controlled, mutable, and opaque, and it runs automatically at install time with the installer's privileges. No legitimate purpose (no shipped native source requiring a build, no vendor-matched SDK, no pinned artifact) justifies this pattern.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / @vraksha/gh-helper

No fixed version published yet for @vraksha/gh-helper (npm). Pin to a known-safe version or switch to an alternative.

References