npm · Malicious package advisory
Malwarevybscan-testbed-obfuscated-postinstall
MAL-2026-10079
Malicious code in vybscan-testbed-obfuscated-postinstall (npm)
Details
---
_-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (cf9aee5b150e0606b1c5c2469fdab43496965a3dd5664df288d68d618e326567)
package.json declares a postinstall lifecycle script that runs `node -e "eval(Buffer.from('<base64>','base64').toString())"`. Installing the package triggers execution of code that is not visible in the package source and is only materialized at install time by decoding an opaque literal. In this specific version the decoded blob is an inert console.log, but the mechanism — obfuscated-then-eval'd bytes wired into a lifecycle hook — is the canonical install-time remote-code-execution shape and has no legitimate use: it lets whoever controls the package substitute arbitrary code at install without changing readable source. The package's self-description as a testbed fixture does not neutralize the pattern; the same install-time hook would execute whatever bytes were placed in the base64 literal.
Compromised versions (1)
- 1.0.0
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.