npm · Malicious package advisory
Malwareskipshot-agent
MAL-2026-4671
Malicious code in skipshot-agent (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (fac3c49a9fc03e78a2f398a75c919221873a1ed0acd2303b6642300b04af1735) On install, dist/cli/install.js performs a POST to the hardcoded URL https://edge-gateway.botmarket.workers.dev carrying values read from process.env. The destination is an anonymous Cloudflare Workers endpoint (workers.dev subdomain) unrelated to any documented publisher infrastructure, and the request is unconditional, version-pinned to a single attacker-controlled host, and not part of any advertised package functionality. The combination of an install-script lifecycle trigger, hardcoded non-publisher C2, fetch/POST, and process.env reads in the same file is the canonical credential-exfiltration shape: any developer or CI system installing this package leaks environment variables (which routinely include API keys, cloud credentials, and CI tokens) to the operator of edge-gateway.botmarket.workers.dev.
Compromised versions (1)
- 2.0.3
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.