MAL-2026-4362
Malicious code in @arbocollab/arbo-web-people (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (3f007c3da95aa64e4c2ed5b51b736900ddc444499f2f678d749603fab516a0c3) The published tarball ships `npmjs.npmrc` containing a live `npm_`-prefixed authToken for `registry.npmjs.org` scoped to `@arbocollab`. `package.json` declares `"files": ["*"]` and `.npmignore` does not exclude `npmjs.npmrc`, so every installer receives the credential. The package.json `publish:lib` script references this same file via `--userconfig=npmjs.npmrc`, confirming it is the maintainer's real publish credential rather than a stub. Any installer or anyone who downloads the tarball can use this token to publish arbitrary malicious versions under the `@arbocollab` scope, pivoting into a supply-chain attack against all downstream consumers of any package in that scope. No install-time hooks are present; the harm is the credential redistribution itself. Remediation: revoke the token immediately, unpublish/deprecate affected versions, remove `npmjs.npmrc` from the published tarball, and add it to `.npmignore`/`files` allowlist.
Are you affected?
Enter the version of the package you're using.
Affected packages
No fixed version published yet for @arbocollab/arbo-web-people (npm). Pin to a known-safe version or switch to an alternative.
References
- https://www.npmjs.com/package/@arbocollab/arbo-web-people/v/0.26.3-alpha.13 [PACKAGE]
- https://www.npmjs.com/package/@arbocollab/arbo-web-people/v/0.26.3-alpha.9 [PACKAGE]
- https://www.npmjs.com/package/@arbocollab/arbo-web-people/v/0.26.3-alpha.7 [PACKAGE]
- https://www.npmjs.com/package/@arbocollab/arbo-web-people/v/0.26.3-alpha.10 [PACKAGE]
- https://www.npmjs.com/package/@arbocollab/arbo-web-people/v/0.26.3-alpha.15 [PACKAGE]
- https://www.npmjs.com/package/@arbocollab/arbo-web-people/v/0.26.3-alpha.14 [PACKAGE]