npm · Malicious package advisory
Malware@sectest429/hello-npm-world
MAL-2026-10478
Malicious code in @sectest429/hello-npm-world (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (479b9303d76a49dfacb402f0a906e32686b5d276e23f429678150e73e506550d) The package advertises a single function `module.exports = function hello(name)` but ships a `preinstall.js` lifecycle script that runs automatically on `npm install` and performs reconnaissance unrelated to the advertised functionality. The script collects OS username, hostname, platform/arch, and the full running process list (`ps -eo comm=` on POSIX, `tasklist /fo csv /nh` on Windows), and issues an HTTP PUT to the AWS EC2 link-local IMDSv2 token endpoint at `169.254.169.254/latest/api/token` followed by a fetch of `/latest/meta-data/instance-id`. Results are written to `./exfil.log` in the installer's working directory. The file's own header comment self-describes as a 'SECURITY DEMO payload' proving that a trojanized package gets code execution at install time. Even though the current version writes locally rather than transmitting, the recon chain (process enumeration + cloud-instance fingerprinting) has no relationship to a hello-world library, runs without consent on every install, and pollutes the consumer's CWD with an artifact.
Compromised versions (1)
- 1.0.3
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.