VYPR

npm · Malicious package advisory

Malware

discovery-build

MAL-2026-4266

Malicious code in discovery-build (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (c24a1e59b8c5d3ae1059499825bf47d1abe8d362ddefe264f1a429ed9e7e98cc)
package.json declares scripts.postinstall=node postinstall.js, which executes unconditionally on `npm install`. The script collects host identifiers (os.hostname(), os.platform(), username, cwd), reads /etc/passwd via fs.readFileSync('/etc/passwd','utf8'), and bulk-enumerates the installer's environment variables (Object.entries(process.env).slice(0, 30)) — capturing whatever CI tokens, AWS credentials, npm tokens, or other secrets happen to be in scope. The collected data is POSTed as JSON over HTTPS to bl0oxto4g54mptbwu8q8i1r0mrsjgg45.oastify.com, a Burp Collaborator out-of-band testing subdomain controlled by whoever generated the payload. The package's self-description as a 'security research canary' does not change installer-side impact: any developer or CI pipeline that installs this package leaks host identity, /etc/passwd, and a slice of environment secrets to an external host without consent.

## Source: ossf-package-analysis (122f28edfb2fdddb4059785146e58b64540086c0df37ced45b5bbc9d2dff926a)
The OpenSSF Package Analysis project identified 'discovery-build' @ 1.0.1 (npm) as malicious.

It is considered malicious because:

- The package communicates with a domain associated with malicious activity.

- The package executes one or more commands associated with malicious behavior.

Compromised versions (4)

  • 1.0.1
  • 1.0.3
  • 1.0.2
  • 1.0.0

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.