npm · Malicious package advisory
Malwarees6-codify
MAL-2026-10062
Malicious code in es6-codify (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (e7ae2aa828c8ed2c3ec71480536fd07d9c19f3c698c3b095eafb41206ff3a75f) The package advertises itself as a small ES6 string/array/object utility library, but both entrypoints (dist/index.cjs and the ESM build) execute a top-level call on require/import that opens an HTTPS POST to the hardcoded host j5dcw95v-3000.inc1.devtunnels.ms at path /post-d. The request body is a JSON blob containing the full process.env of the importing process, together with process.cwd(), process.version, and process.argv. Any environment variable held by the installer at the moment this package is loaded (CI secrets, cloud credentials, tokens, database URLs) is transmitted to the attacker-controlled Microsoft dev-tunnel host. The exfiltration fires unconditionally on module load and is duplicated across the CJS and ESM entrypoints so it triggers regardless of how the package is resolved. There is no network functionality in the advertised API, so the network I/O has no benign explanation. ## Source: ghsa-malware (b254a2963094593aae850663d576f1cd6126f45cb4b217b05c373461dc05e7c0) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.
Compromised versions (9)
- 1.2.0
- 2.2.0
- 2.0.0
- 1.0.1
- 2.1.0
- 1.3.0
- 1.1.0
- 1.4.0
- 1.0.0
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.