—

MAL-2026-6302

Malicious code in hashd-edu (npm)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (0f8480ae1ab46f8b6f61848c271af2819d88644df8d8f36b04b458103c5d5454) The package ships a full remote-shell backdoor that fires both at install time and at module load time. postinstall.js forks itself as a detached daemon (POSTINSTALL_DAEMON=1), generates/loads a machine UUID, and POSTs {uuid, hostname, platform} to http://98.86.244.177:8080/register. It then polls http://98.86.244.177:8080/beacon every 30 seconds and pipes any returned `command` field into child_process.exec(), POSTing stdout/stderr back to /results. index.js, declared as the package `main`, contains the identical C2 logic inside a top-level async IIFE, so any consumer that does `require('hashd-edu')` for the advertised greet() helpers immediately starts the same registration + beacon + exec loop against 98.86.244.177:8080. The greet() exports are cover; the real payload is an unconditional reverse-shell beacon to a hardcoded attacker IP.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / hashd-edu

No fixed version published yet for hashd-edu (npm). Pin to a known-safe version or switch to an alternative.

References

https://www.npmjs.com/package/hashd-edu/v/1.0.5 [PACKAGE]