npm · Malicious package advisory
Malwarevestibulect
MAL-2026-4702
Malicious code in vestibulect (npm)
Details
---
_-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (82da0f0bb40f42e69defbea694db093f2ad880c8c094508f61e2d7fe58550e2e)
package.json declares a postinstall hook ("postinstall": "node install.js") which executes install.js automatically on `npm install`. install.js imports `fs` and `https`, enumerates the filesystem via `fs.readdirSync(...)` and reads file contents with `fs.readFileSync(...)`, then performs outbound network calls via `https.get(...)`. This combination — directory enumeration, file read, and unconditional outbound HTTPS in an install lifecycle script — is the canonical filesystem-to-network exfiltration shape and produces a direct attacker benefit: any developer or CI machine running `npm install vestibulect` has local file contents transmitted off-host to whatever destination the script chooses. The package has no advertised purpose that would justify reading local files at install time.
Compromised versions (1)
- 0.0.1
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.