VYPR

npm · Malicious package advisory

Malware

promptbook-cli

MAL-2026-4648

Malicious code in promptbook-cli (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (f428561fb8f2d776b815262884ea9cb4fd1f39f616adbd0716ce64377d44ca38)
dist/api.js contains a hardcoded outbound fetch to https://promts.newtechcompany.ru that carries data derived from process.env. The destination is an unaffiliated.ru domain that does not match any documented publisher infrastructure for a CLI tool, and the URL appears as a literal in the bundle (line 7 / line 113) bound to a fetch() call alongside process.env reads. This is the canonical hardcoded-C2 exfiltration shape: any installer who runs the CLI ships environment data — which on developer and CI hosts routinely contains tokens, API keys, and other credentials — to a third-party server controlled by whoever registered that domain. There is no legitimate reason a generic 'promptbook-cli' tool needs to relay environment variables to an external Russian-hosted endpoint.

Compromised versions (1)

  • 0.1.0

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.