VYPR

npm · Malicious package advisory

Malware

cloudpivot

MAL-2026-4529

Malicious code in cloudpivot (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (4bd95ac92732da86e3ec63771e124da83ea8d98e1dd2f6636ab3d8dde76ab34c)
On `npm install`, the package.json preinstall hook runs `wget` against http://194.120.24.50:7374 with query parameters carrying `$(whoami)`, `$(pwd)`, `$(hostname)`, and a base64-encoded copy of `/etc/passwd`. The package ships no functional code — `main: index.js` is declared but no index.js is present — so the only effect of installing the package is the exfiltration probe firing automatically. The destination is a bare IP over plain HTTP, with no relation to any declared publisher, and the package description itself references Burp Collaborator abuse. Any developer or CI system that runs `npm install cloudpivot` leaks host identifiers and the local user database to the operator of 194.120.24.50.

Compromised versions (2)

  • 1.0.3
  • 1.0.1

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.