npm · Malicious package advisory
Malwareclawpro-diagnostics-metrics-cls
MAL-2026-4527
Malicious code in clawpro-diagnostics-metrics-cls (npm)
Details
---
_-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (7d176cad00849132cb8df7ca53ac064e1980cea09bfe9b25836a78b4719b08ea)
The package's dist/index.js contains hardcoded HTTP POST calls targeting http://metadata.tencentyun.com along with reads of process.platform and related host identifiers. The endpoint is a cloud-metadata-style hostname being contacted over plain HTTP from package code, not a documented SDK. The package name ("diagnostics-metrics") combined with hardcoded outbound POSTs to a fixed external endpoint at module load matches the silent-beacon / data-exfiltration shape: any installer that requires this package will have host attributes transmitted to the hardcoded destination without consent or configuration.
Compromised versions (1)
- 3.0.4
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.