npm · Malicious package advisory
Malwarebanana-stand
MAL-2026-4495
Malicious code in banana-stand (npm)
Details
---
_-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (ab14273a518e66f357d229806e82cb2f4ce211cae4bc5de0f2d15eeab67fb720)
On `npm install`, the package's `install` lifecycle hook runs `node index.js`, which loads `lib/core.js`. That module reads `os.userInfo().username`, `os.hostname()`, and the basename of `process.cwd()`, then issues a `dns.resolve4` lookup for `lwbanana.<username>.<hostname>.<cwd>.<unixtime>.oob.sl4x0.xyz`, smuggling host identifiers out-of-band via DNS to an author-controlled domain. The same path also fires on `require('banana-stand')` because `main` points at the same entry. Strings used to construct the exfil (`os`, `dns`, `userInfo`, `hostname`, `cwd`, `resolve4`, and the destination domain `oob.sl4x0.xyz`) are concealed as `String.fromCharCode` byte arrays in `lib/6ad264.js` and `lib/b02e30.js` and decoded at runtime, indicating intentional concealment of the exfiltration channel.
Compromised versions (1)
- 9.9.11
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.