VYPR

npm · Malicious package advisory

Malware

thevoid

MAL-2026-4692

Malicious code in thevoid (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (0ce4d125de5d699da897d074134f8d1f0a971aa23d9c3d6ff3330015fccad091)
On install, postinstall.js performs an HTTPS request to void-relay.com carrying process.env contents along with host identifiers (process.platform, process.arch). The destination is not associated with any documented publisher SDK or runtime CDN, and the data exfiltrated (full environment variables plus host fingerprint) constitutes installer-side secret leakage. This matches the canonical hardcoded-C2 exfiltration shape: a lifecycle script (postinstall.js line 38) issues https.get to a hardcoded attacker-controlled host (void-relay.com, line 22) with environment data attached. Any developer or CI runner that installs this package will leak its environment (which routinely contains API tokens, cloud credentials, and CI secrets) to the attacker.

Compromised versions (2)

  • 0.1.4
  • 0.1.3

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.