VDB
KO

MAL-2026-10425

Malicious code in trinity-scheme (npm)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (5d576c0487668f599137a479e17ddc1335935fdec631f7d5adfa9e73049d7652) On npm install, the package's preinstall lifecycle reads a hex-encoded `command` string from preinstall.json, decodes it via Buffer.from(..., 'hex'), and passes the decoded shell command to child_process.exec. The decoded payload collects the installer's `whoami`, `pwd`, and `hostname` output and POSTs the values to the hardcoded endpoint https://eo7o7j442dx6yl6.m.pipedream.net/. The command is stored in hex form to evade plain-text scanning; the package otherwise provides no functionality consistent with its declared name.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / trinity-scheme

No fixed version published yet for trinity-scheme (npm). Pin to a known-safe version or switch to an alternative.

References