—

MAL-2026-6351

Malicious code in delta-time-32bb (npm)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (bcbd5b3b8f7702c8cf59c094e98f078f68563d407235bce1dd0ec6e6522fe03b) Package declares a postinstall hook ("postinstall": "node run.js" in package.json) that executes run.js automatically on npm install. run.js imports os, fs, http, https, and child_process and collects host identifiers and environment data — os.hostname(), os.userInfo(), os.platform(), process.env.USER, process.cwd() — base64-encodes the payload via Buffer.from(...).toString('base64'), and POSTs over http/https. The package has no documented purpose justifying install-time host reconnaissance and outbound network. The shape (lifecycle-triggered collection of host identity + environment + base64 wrapping + HTTP POST) is a credential/host-recon exfiltration beacon executed without user interaction on default install.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / delta-time-32bb

No fixed version published yet for delta-time-32bb (npm). Pin to a known-safe version or switch to an alternative.

References

https://www.npmjs.com/package/delta-time-32bb/v/1.0.0 [PACKAGE]