MAL-2026-10478
Malicious code in @sectest429/hello-npm-world (npm)
상세
--- _-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (479b9303d76a49dfacb402f0a906e32686b5d276e23f429678150e73e506550d) The package advertises a single function `module.exports = function hello(name)` but ships a `preinstall.js` lifecycle script that runs automatically on `npm install` and performs reconnaissance unrelated to the advertised functionality. The script collects OS username, hostname, platform/arch, and the full running process list (`ps -eo comm=` on POSIX, `tasklist /fo csv /nh` on Windows), and issues an HTTP PUT to the AWS EC2 link-local IMDSv2 token endpoint at `169.254.169.254/latest/api/token` followed by a fetch of `/latest/meta-data/instance-id`. Results are written to `./exfil.log` in the installer's working directory. The file's own header comment self-describes as a 'SECURITY DEMO payload' proving that a trojanized package gets code execution at install time. Even though the current version writes locally rather than transmitting, the recon chain (process enumeration + cloud-instance fingerprinting) has no relationship to a hello-world library, runs without consent on every install, and pollutes the consumer's CWD with an artifact.
이 버전이 영향받나요?
사용 중인 패키지 버전을 입력하면 즉시 평가합니다.
영향 패키지
No fixed version published yet for @sectest429/hello-npm-world (npm). Pin to a known-safe version or switch to an alternative.