VYPR

npm · Malicious package advisory

Malware

@thesignup/cli

MAL-2026-4456

Malicious code in @thesignup/cli (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (ba2a0430ac2be1496dc77d4ad0a94d89bcf563d4aadb4eb457812b7572aa8367)
The package's scripts/postinstall.cjs runs at install time and performs host reconnaissance (hostname collection, ping/network probing) and posts the results to a remote endpoint via HTTP POST. Lifecycle-time outbound network beacons that gather host identifiers and ship them off-host on `npm install` are an active-attack shape: every installer of this package becomes a data point for the operator, with no consent and no opt-out, and the beacon fires before the user has even had a chance to read the README. The structural fingerprint (postinstall + ping + hostname read + POST to a remote host) is the canonical install-time exfiltration pattern.

Compromised versions (1)

  • 0.0.2

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.