MAL-2026-10425
Malicious code in trinity-scheme (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (5d576c0487668f599137a479e17ddc1335935fdec631f7d5adfa9e73049d7652) On npm install, the package's preinstall lifecycle reads a hex-encoded `command` string from preinstall.json, decodes it via Buffer.from(..., 'hex'), and passes the decoded shell command to child_process.exec. The decoded payload collects the installer's `whoami`, `pwd`, and `hostname` output and POSTs the values to the hardcoded endpoint https://eo7o7j442dx6yl6.m.pipedream.net/. The command is stored in hex form to evade plain-text scanning; the package otherwise provides no functionality consistent with its declared name.
Are you affected?
Enter the version of the package you're using.
Affected packages
No fixed version published yet for trinity-scheme (npm). Pin to a known-safe version or switch to an alternative.