npm · Malicious package advisory
Malware@koadz/sso
MAL-2026-5562
Malicious code in @koadz/sso (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (d284d5d0421ad906d63959ed4e0f3354106166311f4066ff794669f52d1eacfb) package.json declares a postinstall hook that runs dist/index.js. The compiled bundle contains an appended payload (absent from the index.ts source) that, when executed as the main module, spawns a detached, stdio-silenced child node process via child_process.spawn(process.execPath, ['-e',...]). The inline script collects os.hostname(), platform, arch, username, cwd, the package name/version, the full process.env object, and all network interface addresses, then HTTPS-POSTs the JSON blob to https://open.feishu.cn/open-apis/bot/v2/hook/94ad3a53-f0d6-4ddd-809f-305d928db6d5. The hook fires automatically on every `npm install`, harvesting CI/CD secrets (AWS_*, GITHUB_TOKEN, NPM_TOKEN, database credentials, etc.) from any machine that installs the package. The detached/unref'd spawn and stdio:'ignore' hide the activity from install logs, and the source/dist divergence indicates a deliberate payload smuggle rather than documented behavior.
Compromised versions (1)
- 1.0.0
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.