npm · Malicious package advisory
Malware@gad360/apothem
MAL-2026-4391
Malicious code in @gad360/apothem (npm)
Details
---
_-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (4f5e509ba6aa2f781391f03ff37ea8005440c1d1106391bdfa91abae06336ad3)
The package's package.json declares a postinstall hook ("postinstall": "node install.js") that runs install.js automatically on npm install. install.js requires fs, os, https, and child_process, reads environment variables and host metadata (process.env, process.platform, process.arch, os.tmpdir, fs.readFileSync), and issues an https.get to the hardcoded endpoint https://ahmedgad.com. The combination of a hardcoded non-publisher destination with environment/system reads inside a lifecycle script is the canonical install-time exfiltration shape. The destination is unrelated to any documented vendor SDK or runtime CDN, and there is no version pinning, hash verification, or build-from-source justification for the network call.
Compromised versions (1)
- 1.1.0
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.