—

MAL-2026-6238

Malicious code in atlasora-client (npm)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (fbd4392d81da887d2d7da24519df3a7d9341ee45e1fc091a724c4f5ede766ae5) package.json declares "postinstall": "node install.js", which runs automatically on npm install. install.js requires https, fs, os, and child_process; collects host identifiers via os.hostname() and os.userInfo(); invokes execSync() to gather additional system data; checks for sensitive files via fs.existsSync(); and POSTs the collected data over an https.request() to a hardcoded remote endpoint. This is the canonical install-time system-information exfiltration shape: any developer or CI machine that runs `npm install atlasora-client` will silently leak host identity, user account info, and reconnaissance data about local filesystem contents to an attacker-controlled destination.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / atlasora-client

No fixed version published yet for atlasora-client (npm). Pin to a known-safe version or switch to an alternative.

References

https://www.npmjs.com/package/atlasora-client/v/1.0.0 [PACKAGE]