VYPR

npm · Malicious package advisory

Malware

npm-rce-safe-proof-yourname

MAL-2026-10159

Malicious code in npm-rce-safe-proof-yourname (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (f9fdedc15d959d978bd3563d29d16c5ab226d3c4fa4ab8b6fecf8bdf130e29ab)
On `npm install`, postinstall.js runs `whoami`, reads `os.hostname()`, `process.platform`, and `process.version`, and transmits them via HTTPS GET to a hardcoded remote endpoint at https://testnpm.byte.eyes.sh/npm-proof. This fires automatically as a lifecycle hook with no user consent. The package's declared purpose (`npm script for showing date strings`) and its self-labeling as a 'safe proof' do not match the observed behavior — the code is a functional install-time identity beacon transmitting the installer's username and hostname to an author-controlled destination. Beaconing installer identity to a hardcoded third-party host on install is credential/identity leakage regardless of the 'proof' framing.

Compromised versions (1)

  • 1.0.0

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.