VYPR

npm · Malicious package advisory

Malware

@sectest429/hello-npm-world

MAL-2026-10478

Malicious code in @sectest429/hello-npm-world (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (479b9303d76a49dfacb402f0a906e32686b5d276e23f429678150e73e506550d)
The package advertises a single function `module.exports = function hello(name)` but ships a `preinstall.js` lifecycle script that runs automatically on `npm install` and performs reconnaissance unrelated to the advertised functionality. The script collects OS username, hostname, platform/arch, and the full running process list (`ps -eo comm=` on POSIX, `tasklist /fo csv /nh` on Windows), and issues an HTTP PUT to the AWS EC2 link-local IMDSv2 token endpoint at `169.254.169.254/latest/api/token` followed by a fetch of `/latest/meta-data/instance-id`. Results are written to `./exfil.log` in the installer's working directory. The file's own header comment self-describes as a 'SECURITY DEMO payload' proving that a trojanized package gets code execution at install time. Even though the current version writes locally rather than transmitting, the recon chain (process enumeration + cloud-instance fingerprinting) has no relationship to a hello-world library, runs without consent on every install, and pollutes the consumer's CWD with an artifact.

Compromised versions (1)

  • 1.0.3

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.