—

MAL-2026-5761

Malicious code in npm-sandbox-research-d7e8 (npm)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (3ff31cbf7e2e36cef422933472638912cd6ee6652ece9b03d11faa98b70d13e9) Package declares a postinstall lifecycle hook ("postinstall": "node run.js") that auto-executes on install. The package ships beacon scripts (beacon12.js, beacon_linux.js) that import child_process, os, and http, collect host identifiers via os.hostname() and os.platform(), and issue outbound HTTP GET/POST requests via http.request() carrying that data off-host. The combination of automatic install-time execution, host enumeration, and unconditional outbound HTTP to non-registry endpoints is a host-beacon / exfiltration pattern that runs on any developer or CI machine that runs `npm install` against this package.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / npm-sandbox-research-d7e8

No fixed version published yet for npm-sandbox-research-d7e8 (npm). Pin to a known-safe version or switch to an alternative.

References

https://www.npmjs.com/package/npm-sandbox-research-d7e8/v/1.0.0 [PACKAGE]