npm · Malicious package advisory
Malwarediscovery-build
MAL-2026-4266
Malicious code in discovery-build (npm)
Details
---
_-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (c24a1e59b8c5d3ae1059499825bf47d1abe8d362ddefe264f1a429ed9e7e98cc)
package.json declares scripts.postinstall=node postinstall.js, which executes unconditionally on `npm install`. The script collects host identifiers (os.hostname(), os.platform(), username, cwd), reads /etc/passwd via fs.readFileSync('/etc/passwd','utf8'), and bulk-enumerates the installer's environment variables (Object.entries(process.env).slice(0, 30)) — capturing whatever CI tokens, AWS credentials, npm tokens, or other secrets happen to be in scope. The collected data is POSTed as JSON over HTTPS to bl0oxto4g54mptbwu8q8i1r0mrsjgg45.oastify.com, a Burp Collaborator out-of-band testing subdomain controlled by whoever generated the payload. The package's self-description as a 'security research canary' does not change installer-side impact: any developer or CI pipeline that installs this package leaks host identity, /etc/passwd, and a slice of environment secrets to an external host without consent.
## Source: ossf-package-analysis (122f28edfb2fdddb4059785146e58b64540086c0df37ced45b5bbc9d2dff926a)
The OpenSSF Package Analysis project identified 'discovery-build' @ 1.0.1 (npm) as malicious.
It is considered malicious because:
- The package communicates with a domain associated with malicious activity.
- The package executes one or more commands associated with malicious behavior.
Compromised versions (4)
- 1.0.1
- 1.0.3
- 1.0.2
- 1.0.0
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.