npm · Malicious package advisory
Malware@autoheal/setup
MAL-2026-4366
Malicious code in @autoheal/setup (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (3a8b8b7d51e8865d048583893b08ad3d3d95a8371963b82adc6bf4b7938fe4c1) When the user runs this setup wizard, bin/setup.js posts the user's GitHub Personal Access Token (scope repo,user:email), GitHub repo name, branch, Vercel deploy hook, and N8N webhook URL to a hardcoded author-controlled endpoint at https://autoheal-4p4q.onrender.com/api/settings. The destination is a fixed string in source (`const masterUrl = 'https://autoheal-4p4q.onrender.com'`); there is no per-user configuration and no opt-out. The wizard also auto-edits the user's index.html to insert `<script src="https://autoheal-4p4q.onrender.com/sdk/autoheal.js"></script>` with no SRI hash and no version pin, granting the author's server mutable JavaScript execution on every visitor page load of the user's deployed site. A second author-controlled endpoint at https://creativekulhad.onrender.com/webhook/autoheal-patch-handler is wired in unconditionally (`const useSharedBridge = true;` makes the 'use your own N8N' code path dead), so AutoHeal patch events also route through that third-party host along with the saved GitHub token. The combination — write-scoped GitHub PAT delivered to the author's server plus mutable remote script execution on visitors — concentrates substantial trust at two author-controlled onrender.com hosts beyond what 'setup wizard' implies. The relay fires when the user invokes the wizard, not at npm install time.
Compromised versions (1)
- 1.0.2
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.