—

MAL-2026-6099

Malicious code in stream-read-35cf (npm)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (0597f71a1c39a743a4323636794601b480a1cda0c64df20d6bafa7ed601da84e) Package declares a postinstall hook ("postinstall": "node run.js") that auto-executes run.js on `npm install`. run.js imports os, fs, http, https, and child_process and collects host identifiers (os.hostname(), os.userInfo(), os.platform(), process.env.USER, process.cwd()), reads files via fs.readFileSync / fs.existsSync, base64-encodes data via Buffer.from(...).toString('base64'), and POSTs the results to remote endpoints over http/https (multiple POST call sites at lines 135, 138, 347, 354). The package name is a short random-suffixed identifier with no documented purpose, and the only effect of installing the package is the reconnaissance + exfiltration payload. This is the canonical install-time stealer shape.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / stream-read-35cf

No fixed version published yet for stream-read-35cf (npm). Pin to a known-safe version or switch to an alternative.

References

https://www.npmjs.com/package/stream-read-35cf/v/1.0.0 [PACKAGE]