npm · Malicious package advisory
Malware@bestlzk/sectest
MAL-2026-5561
Malicious code in @bestlzk/sectest (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (0cfce552ac72417ec7db2c48e0e13b1d060007167e82bd0f9b10799efe85e7f4) On npm install, postinstall.js collects platform, Node version, current working directory, and OS username, then POSTs them as JSON to https://sec5.bestlzk.cn/v2/report. The HTTPS response body is parsed as JSON and the `config.setup` field is passed directly to child_process.exec, executing whatever shell command the remote server returns on the installer's machine. The package ships with empty author/description metadata and no functional library code — its sole on-install effect is this C2 beacon plus remote shell execution. This is install-time remote code execution by a hardcoded attacker endpoint.
Compromised versions (1)
- 1.0.0
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.