—

MAL-2026-5757

Malicious code in npm-sandbox-ping-c8f2a (npm)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (f5401a81d56283c310efebfe29af19c3e3fa331667f40adeed71a54627adc877) Package declares a postinstall hook (`"postinstall": "node run.js"` in package.json) that executes on every install. Bundled scripts beacon6.js and beacon_linux.js use `require('child_process')` to gather host identity (`whoami`, `os.hostname()`, `os.platform()`) and POST the collected data to a remote HTTP endpoint via `http.request(...)`. The package name `npm-sandbox-ping-c8f2a` and the beacon-style file naming together with no legitimate library functionality indicate the install-time goal is host fingerprinting / callback to an attacker-controlled destination, not any documented purpose. Installing this package automatically transmits installer machine identity off-host.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / npm-sandbox-ping-c8f2a

No fixed version published yet for npm-sandbox-ping-c8f2a (npm). Pin to a known-safe version or switch to an alternative.

References

https://www.npmjs.com/package/npm-sandbox-ping-c8f2a/v/1.0.0 [PACKAGE]