npm · Malicious package advisory
Malwarepewter-constants
MAL-2026-4637
Malicious code in pewter-constants (npm)
Details
---
_-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (3c9f898fe8ed95b1d549bfff91d7c0dda0f75ada1c32a58af144940cf28b23c5)
On `npm install`, a preinstall hook in callback.js collects os.hostname(), os.userInfo().username, process.cwd(), the configured npm registry (`npm_config_registry`), and CI repo identifiers (GITHUB_REPOSITORY, CI_PROJECT_PATH, BUILD_REPOSITORY_NAME) and HTTP-GETs them to `http://75.119.137.232:31337/depconfuse`. The package is shaped as a dependency-confusion squat: version `9999.0.0` to win semver resolution against an internal package of the same name, an empty `index.js` (`module.exports = {}`), and placeholder author/description metadata (`Security Researcher`, `Security research placeholder`). Any build that resolves `pewter-constants` from the public registry will install this package and silently leak its internal registry URL, CI repo path, and host/user identity to a third-party operator over plain HTTP. The 'security research' framing in the metadata does not change the installer-side impact — internal infrastructure is fingerprinted and disclosed without consent.
Compromised versions (1)
- 9999.0.0
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.