npm · Malicious package advisory
Malwareencrata-cli
MAL-2026-4551
Malicious code in encrata-cli (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (e98813f52fa8e9fc3c04bffd023445dbfed4a9b405d1e3f85511673f5e86dce7) package.json declares `"postinstall": "node install.js"`, which runs at install time. install.js requires both `child_process` and `https`, branches on `process.platform` to enumerate host details, and issues an outbound `https.get(...)` carrying the collected data. This is the canonical install-time system-information exfiltration shape: child_process to spawn host-info commands, platform-gated logic to pick the right binary per OS, and HTTPS egress to ship the result. There is no legitimate reason for a CLI's postinstall to gather host metadata and POST/GET it off-host. Installing this package on any machine (developer laptop, CI runner, build server) discloses host details to a remote endpoint and provides an install-time code-execution surface.
Compromised versions (2)
- 0.2.0
- 0.1.0
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.