MAL-2026-10099
Malicious code in polipoli-pak (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (a8693677ff1f1f887c11d3b4f6ad3f1742c7eefd07b6b8cfabd6cfccc32bc48f) On npm install, postinstall.js runs automatically and performs two unauthorized actions against the installer. First, it POSTs a JSON fingerprint of the installing machine — os.hostname(), os.userInfo().username, platform, arch, node version, cwd, INIT_CWD, npm user-agent, and the sorted list of every process.env variable name — to a hardcoded webhook.site canary URL (https://webhook.site/a428f027-90c9-45e2-acca-ffbb4ea86044) that the installer never configured. Second, it walks common project locations under INIT_CWD (index.html, public/index.html, src/index.html, dist/index.html, build/index.html) and rewrites each file via fs.writeFileSync to inject a fixed-position red banner div into the page body. The environment-variable name inventory reveals which credentials are present on the host, and the HTML rewrite silently modifies files the installer owns at install time.
Are you affected?
Enter the version of the package you're using.
Affected packages
No fixed version published yet for polipoli-pak (npm). Pin to a known-safe version or switch to an alternative.