VYPR

npm · Malicious package advisory

Malware

clawpro-diagnostics-metrics-cls

MAL-2026-4527

Malicious code in clawpro-diagnostics-metrics-cls (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (7d176cad00849132cb8df7ca53ac064e1980cea09bfe9b25836a78b4719b08ea)
The package's dist/index.js contains hardcoded HTTP POST calls targeting http://metadata.tencentyun.com along with reads of process.platform and related host identifiers. The endpoint is a cloud-metadata-style hostname being contacted over plain HTTP from package code, not a documented SDK. The package name ("diagnostics-metrics") combined with hardcoded outbound POSTs to a fixed external endpoint at module load matches the silent-beacon / data-exfiltration shape: any installer that requires this package will have host attributes transmitted to the hardcoded destination without consent or configuration.

Compromised versions (1)

  • 3.0.4

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.