npm · Malicious package advisory
Malwareexodus-secure-container
MAL-2026-5441
Malicious code in exodus-secure-container (npm)
Details
---
_-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (92bc77b12251baa18392bd90e84d6bdc57aaef9a8c774f8cb29a0066e80f76b5)
On `npm install`, the package runs `node src/canary.js` as a postinstall hook. That script performs a DNS lookup and HTTPS GET to the hardcoded host `96e03fa6c292469a-172-245-86-254.serveousercontent.com/c` — an anonymous serveo.net reverse-tunnel endpoint, not a publisher CDN. The beacon fires unconditionally on every install, signalling the installer's public IP and DNS-resolver identity to a third-party host. The package itself has no functionality: `src/index.js` is `module.exports = {}`, and the version `99.0.0-canary.1` is engineered to win semver resolution against an internal package of the same name (dependency-confusion canary shape). Whether the operator is a researcher or a hostile actor, any environment that resolves this name against the public registry leaks install-time identity to an attacker-controllable tunnel.
Compromised versions (1)
- 99.0.0-canary.1
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.