npm · Malicious package advisory
Malwaregit-userhub
MAL-2026-4573
Malicious code in git-userhub (npm)
Details
---
_-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (859f77ac10aa89722823e0477f8f6986db2b54dd25b1b2aedb05ee31d5891071)
Package name 'git-userhub' is a lookalike of a GitHub-related identity, with no legitimate publisher backing. The package.json declares a postinstall hook ("postinstall": "node install.js") that runs install.js on every npm install. install.js requires child_process and performs multiple https.get calls together with hostname/identity reads — the canonical install-time fetch-and-exec shape. There is no shipped native source tree, no publisher-matching CDN, and no version-pinned binary that would justify a postinstall network fetch. Combined with the lookalike package name (git-<project> typosquat shape used by recent supply-chain droppers), the structure matches a postinstall dropper that spawns child processes against fetched content on the installer's machine. Installing this package risks remote code execution and host/identity exfiltration on the installer's system or CI runner.
Compromised versions (2)
- 2.1.4
- 2.1.5
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.