VYPR

npm · Malicious package advisory

Malware

exodus-secure-container

MAL-2026-5441

Malicious code in exodus-secure-container (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (92bc77b12251baa18392bd90e84d6bdc57aaef9a8c774f8cb29a0066e80f76b5)
On `npm install`, the package runs `node src/canary.js` as a postinstall hook. That script performs a DNS lookup and HTTPS GET to the hardcoded host `96e03fa6c292469a-172-245-86-254.serveousercontent.com/c` — an anonymous serveo.net reverse-tunnel endpoint, not a publisher CDN. The beacon fires unconditionally on every install, signalling the installer's public IP and DNS-resolver identity to a third-party host. The package itself has no functionality: `src/index.js` is `module.exports = {}`, and the version `99.0.0-canary.1` is engineered to win semver resolution against an internal package of the same name (dependency-confusion canary shape). Whether the operator is a researcher or a hostile actor, any environment that resolves this name against the public registry leaks install-time identity to an attacker-controllable tunnel.

Compromised versions (1)

  • 99.0.0-canary.1

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.