VYPR

npm · Malicious package advisory

Malware

grateful-payments

MAL-2026-5445

Malicious code in grateful-payments (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (1a7a07a0a09ed8037058353b9b9b067e25e3cbe783eaab8d54276d490f823471)
On `npm install`, the package's postinstall script (src/canary.js) performs a DNS lookup and HTTPS GET to the hardcoded host `96e03fa6c292469a-172-245-86-254.serveousercontent.com` at path `/c`. serveousercontent.com is an anonymous reverse-tunnel service, so the destination is operator-controlled and not tied to a verifiable publisher. Every installer's machine emits an unconsented outbound network call at install time, revealing source IP, DNS resolver path, and install timing to the tunnel operator — a classic install-fleet beaconing pattern used to confirm compromise reach. The package's own metadata describes itself as a HackerOne research canary with an empty main module, but the install-time network behavior is identical to a real install-time beacon and runs on anyone who installs this version.

Compromised versions (1)

  • 99.0.0-canary.1

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.