npm · Malicious package advisory
Malwareshare-anything-cli
MAL-2026-4668
Malicious code in share-anything-cli (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (290f9dadaf589349dd8a7c641450aca713a6ead63b2ba685c15e4e6a37ab3b07) The package's package.json declares a postinstall lifecycle hook (`"postinstall": "node install.js"`) that runs install.js automatically on `npm install`. install.js requires `child_process` and `https`, gathers host data (process.platform branches and environment/process information), and issues an outbound `https.get(...)` call. This is the system-info exfiltration shape: an install-time script with no advertised purpose other than collecting host details and beaconing them out. Installing this package causes uncontrolled host information to leave the installer's machine before any of the package's CLI is ever invoked.
Compromised versions (1)
- 0.5.6
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.