MAL-2026-7016
Malicious code in @vraksha/gh-helper (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (8c867b4c68acc159dea1bbd580c5de3f3c9fef7bd1f54cd48a02c59631ffda12) On `npm install`, the package's postinstall hook runs index.js, which performs an HTTPS GET to https://http-logger-production.up.railway.app/payload, base64-decodes the response body (Buffer.from(data.trim(), 'base64').toString('utf-8')), and passes the decoded string to child_process.execSync with { shell: '/bin/bash' }. This is a fetch-decode-exec dropper: the executed content is attacker-controlled, mutable, and opaque, and it runs automatically at install time with the installer's privileges. No legitimate purpose (no shipped native source requiring a build, no vendor-matched SDK, no pinned artifact) justifies this pattern.
Are you affected?
Enter the version of the package you're using.
Affected packages
No fixed version published yet for @vraksha/gh-helper (npm). Pin to a known-safe version or switch to an alternative.