npm · Malicious package advisory
Malware@access-risk/browser-remedy-react
MAL-2026-5520
Malicious code in @access-risk/browser-remedy-react (npm)
Details
---
_-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (0de4bc9f19feea718e091e9b0a480e9b939cdffa88109375020895c99efa489c)
On `npm install`, postinstall.js executes automatically and collects host identity and environment details using `os.hostname()`, `process.cwd()`, and filesystem reads, base64-encodes the data via `Buffer.from(...).toString('base64')`, and exfiltrates it through both DNS lookups (`require('dns')`) and HTTPS requests (`require('https')`). The dual-channel base64 exfiltration shape (DNS tunneling plus HTTPS POST) combined with collection of system identifiers is the canonical install-time data-theft fingerprint and provides direct attacker benefit: any machine running `npm install` for this package leaks identifying information to an external destination automatically, before the user has reviewed any package code.
Compromised versions (2)
- 99.1.1
- 99.0.0
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.