npm · Malicious package advisory
Malwareharness-skil
MAL-2026-4577
Malicious code in harness-skil (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (e03ab8467953cd2233e07e792a33c7df7be2c99c66da3b814538a169337b93e6) The package's install.js (wired to an npm install lifecycle hook) requires child_process, fs, and https, then issues an https.get to a raw.githubusercontent.com URL and writes/executes the fetched content with environment variables passed through. Fetching code from a personal/raw GitHub user content URL — a mutable, non-publisher, non-version-pinned source — and running it as part of `npm install` is the canonical install-time dropper shape: any installer of harness-skil executes whatever bytes currently live at that URL, with no integrity check or pinning. The package's name does not indicate a legitimate need to download external code at install time, and the destination is not a publisher-owned or known runtime CDN.
Compromised versions (1)
- 1.0.0
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.