npm · Malicious package advisory
Malwareomnius
MAL-2026-4626
Malicious code in omnius (npm)
Details
---
_-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (2aceac0879b587bc711c3f156bf0de4bab90f3774816a6cbeb36a2cf9bb03e12)
The package's postinstall lifecycle hook launches dist/postinstall-daemon.cjs, which combines child_process.execSync, os.userInfo(), filesystem probes, and network primitives (require('http'), http.request, GET) consistent with a host-reconnaissance-and-exfiltration daemon. The script repeatedly invokes ping (5+ call sites at lines 184, 298, 465, 693, 741) for host/network discovery, and reads identity (os.userInfo at L160, L395) before sending HTTP requests. package.json declares both preinstall and postinstall hooks and additionally embeds curl invocations (line 142). A sibling Python script (dist/scripts/web_scrape.py) contains its own ping/wget/POST chain. The combination of: (a) a daemon installed via lifecycle hooks, (b) execSync-driven system enumeration, (c) outbound HTTP from install-time-reachable code, and (d) multiple curl shell-outs in package.json constitutes installer-side reconnaissance with network exfiltration. Installing this package will execute attacker-controlled probing/exfiltration on the installer's machine.
Compromised versions (9)
- 1.0.153
- 1.0.155
- 1.0.147
- 1.0.136
- 1.0.145
- 1.0.148
- 1.0.140
- 1.0.141
- 1.0.157
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.