VYPR

npm · Malicious package advisory

Malware

harness-skil

MAL-2026-4577

Malicious code in harness-skil (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (e03ab8467953cd2233e07e792a33c7df7be2c99c66da3b814538a169337b93e6)
The package's install.js (wired to an npm install lifecycle hook) requires child_process, fs, and https, then issues an https.get to a raw.githubusercontent.com URL and writes/executes the fetched content with environment variables passed through. Fetching code from a personal/raw GitHub user content URL — a mutable, non-publisher, non-version-pinned source — and running it as part of `npm install` is the canonical install-time dropper shape: any installer of harness-skil executes whatever bytes currently live at that URL, with no integrity check or pinning. The package's name does not indicate a legitimate need to download external code at install time, and the destination is not a publisher-owned or known runtime CDN.

Compromised versions (1)

  • 1.0.0

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.