VYPR

npm · Malicious package advisory

Malware

trinity-scheme

MAL-2026-10425

Malicious code in trinity-scheme (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (5d576c0487668f599137a479e17ddc1335935fdec631f7d5adfa9e73049d7652)
On npm install, the package's preinstall lifecycle reads a hex-encoded `command` string from preinstall.json, decodes it via Buffer.from(..., 'hex'), and passes the decoded shell command to child_process.exec. The decoded payload collects the installer's `whoami`, `pwd`, and `hostname` output and POSTs the values to the hardcoded endpoint https://eo7o7j442dx6yl6.m.pipedream.net/. The command is stored in hex form to evade plain-text scanning; the package otherwise provides no functionality consistent with its declared name.

Compromised versions (1)

  • 20.0.0

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.