VDB
EN

MAL-2026-10493

Malicious code in insomnia-plugin-poc-m4gester-run (npm)

상세

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (38a525aea57681df6c21035b723701fa6067f091fd81ac26bb3fcc8e2126c43e) package.json declares a postinstall lifecycle hook that runs `calc.exe` on the installer's machine during `npm install`. The main entry point exports only an empty `requestHooks` array, providing no actual Insomnia plugin functionality — the package's sole effect is the arbitrary command execution at install time. The name self-identifies as a proof-of-concept and mimics the Insomnia plugin naming convention with a leet-substituted variant, indicating the package exists solely to demonstrate/exploit install-time RCE. While calc.exe itself is benign, the postinstall hook establishes full arbitrary-command-execution capability against any developer installing the package on Windows.

이 버전이 영향받나요?

사용 중인 패키지 버전을 입력하면 즉시 평가합니다.

영향 패키지

npm / insomnia-plugin-poc-m4gester-run

No fixed version published yet for insomnia-plugin-poc-m4gester-run (npm). Pin to a known-safe version or switch to an alternative.

참고