VDB
KO

MAL-2026-5472

Malicious code in getd-web-corporativa (npm)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (6751d3ca04c2ae596f7e809e339770edaed576060d361c061311960b0a3a7033) On `npm install`, postinstall.js performs an HTTPS GET to a hardcoded webhook.site receiver, leaking the installer's hostname, OS username, platform, current working directory, package name/version, CI/build indicators, and a timestamp via URL query parameters. Errors are swallowed so installation appears to succeed silently. The destination is a public webhook collector — any party holding the UUID path can read every submission, so this is unauthenticated host reconnaissance suitable for follow-on targeting. The package's name resembles the `@getd/*` scope but is published unscoped by `jplopezy (defensive-squat)` with no repository and a placeholder homepage; the README's 'defensive squat telemetry' framing does not change the fact that installer-side identity data is shipped off-host without consent on every install. The package has no other functionality.

## Source: ghsa-malware (45e1c42b4cce75c5c8684442a2de6ada96668ce19c78acf5e2d934c128b6291a) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / getd-web-corporativa
Introduced in: 0

No fixed version published yet for getd-web-corporativa (npm). Pin to a known-safe version or switch to an alternative.

References