VDB
EN

MAL-2026-10062

Malicious code in es6-codify (npm)

상세

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (e7ae2aa828c8ed2c3ec71480536fd07d9c19f3c698c3b095eafb41206ff3a75f) The package advertises itself as a small ES6 string/array/object utility library, but both entrypoints (dist/index.cjs and the ESM build) execute a top-level call on require/import that opens an HTTPS POST to the hardcoded host j5dcw95v-3000.inc1.devtunnels.ms at path /post-d. The request body is a JSON blob containing the full process.env of the importing process, together with process.cwd(), process.version, and process.argv. Any environment variable held by the installer at the moment this package is loaded (CI secrets, cloud credentials, tokens, database URLs) is transmitted to the attacker-controlled Microsoft dev-tunnel host. The exfiltration fires unconditionally on module load and is duplicated across the CJS and ESM entrypoints so it triggers regardless of how the package is resolved. There is no network functionality in the advertised API, so the network I/O has no benign explanation.

이 버전이 영향받나요?

사용 중인 패키지 버전을 입력하면 즉시 평가합니다.

영향 패키지

npm / es6-codify

No fixed version published yet for es6-codify (npm). Pin to a known-safe version or switch to an alternative.

참고