VDB
KO

MAL-2026-10675

Malicious code in ac-raf-emitter (npm)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (4a9d9e454c08fdafa531ee74a3bc52513d5bc39413810db4a6371494872984f8) package.json declares a preinstall lifecycle script that runs `curl -X POST` against a hardcoded webhook.site collector URL (https://webhook.site/54919426-084d-4288-8f80-e36ae5c76e32), passing the installer's hostname and a timestamp as query parameters. The exfiltration fires automatically on `npm install` before any consumer code runs. The destination is an anonymous, author-controlled request-inspection endpoint with no legitimate role in the package's advertised functionality.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / ac-raf-emitter

No fixed version published yet for ac-raf-emitter (npm). Pin to a known-safe version or switch to an alternative.

References