VYPR

npm · Malicious package advisory

Malware

fnd-stores

MAL-2026-4565

Malicious code in fnd-stores (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (62c9035e303ec731c71c689ed77eed17b245cd4adc475cb616ff94991539aa56)
On `npm install`, the package's postinstall hook runs `node index.js`, which collects the installer's hostname, OS platform, current working directory, CI environment indicators, Node version, and OS username via `os.hostname()`, `os.platform()`, `os.userInfo()`, `process.cwd()`, and process env, and POSTs the payload as JSON to `https://webhook.site/604bab71-0179-419e-998e-6f15e524bfd7` (a publisher-controlled webhook bin). The README self-describes the package as a dependency-confusion canary targeting an internal package namespace, and the name is chosen to collide with that internal scope. Any developer or build pipeline that resolves this package leaks internal hostnames, usernames, working-directory paths, and CI job metadata to a third party at install time, without consent. Claimed 'authorized research' status does not change the installer-side harm.

Compromised versions (2)

  • 0.0.7
  • 0.0.6

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.