MAL-2026-10214
Malicious code in babel-preset-lib-client (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (4274de0136aa69f8b0f4eba03412c7809a1b8c2446bb3ed7f6de1333475aa4c4) index.js, the package main, runs a load-time IIFE that collects OS platform and architecture, hostname, username, private and public IP (via https://api.ipify.org), current working directory, the full output of `printenv` (base64-encoded), and the base64-encoded output of `tree../`, then POSTs the aggregated payload to a hardcoded Discord webhook at https://discord.com/api/webhooks/1524917003394089029/. The package name mimics the babel-preset naming convention but the code implements no Babel functionality; author, description, and keywords are empty. Any consumer that installs and requires this package leaks its full process environment (typically including NPM_TOKEN, AWS_*, GITHUB_TOKEN, and other CI/developer secrets) plus a listing of the parent directory to the attacker-controlled Discord channel.
Are you affected?
Enter the version of the package you're using.
Affected packages
No fixed version published yet for babel-preset-lib-client (npm). Pin to a known-safe version or switch to an alternative.