VYPR

npm · Malicious package advisory

Malware

omnius

MAL-2026-4626

Malicious code in omnius (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (2aceac0879b587bc711c3f156bf0de4bab90f3774816a6cbeb36a2cf9bb03e12)
The package's postinstall lifecycle hook launches dist/postinstall-daemon.cjs, which combines child_process.execSync, os.userInfo(), filesystem probes, and network primitives (require('http'), http.request, GET) consistent with a host-reconnaissance-and-exfiltration daemon. The script repeatedly invokes ping (5+ call sites at lines 184, 298, 465, 693, 741) for host/network discovery, and reads identity (os.userInfo at L160, L395) before sending HTTP requests. package.json declares both preinstall and postinstall hooks and additionally embeds curl invocations (line 142). A sibling Python script (dist/scripts/web_scrape.py) contains its own ping/wget/POST chain. The combination of: (a) a daemon installed via lifecycle hooks, (b) execSync-driven system enumeration, (c) outbound HTTP from install-time-reachable code, and (d) multiple curl shell-outs in package.json constitutes installer-side reconnaissance with network exfiltration. Installing this package will execute attacker-controlled probing/exfiltration on the installer's machine.

Compromised versions (9)

  • 1.0.153
  • 1.0.155
  • 1.0.147
  • 1.0.136
  • 1.0.145
  • 1.0.148
  • 1.0.140
  • 1.0.141
  • 1.0.157

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.