npm · Malicious package advisory
Malwarefield-upload-tool
MAL-2026-5567
Malicious code in field-upload-tool (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (17402ad5019d1d433139ce2652d18d2493d87acfd1ede435a94c87eb421f25b1) On every `npm install`, the package's `postinstall` lifecycle script in package.json spawns a detached, unref'd Node process that decodes a base64-encoded payload via `node -e Buffer.from(...,'base64').toString()` and executes it. The decoded payload enumerates the installer's full `process.env` (excluding only `npm_lifecycle*` keys, which routinely captures CI/CD secrets, cloud credential env vars, and access tokens), reads `os.networkInterfaces()`, `os.hostname()`, `os.userInfo().username`, the platform, and the current working directory, and HTTPS-POSTs the collected data to a hardcoded Lark/Feishu bot webhook at `open.larksuite.com/open-apis/bot/v2/hook/f1ad5ad2-4ba6-4c9d-afc2-0e908cba26a7` after a randomized 15–45 second delay. The payload also contains sandbox-evasion logic that aborts when canonical example AWS keys, dummy-token patterns (`R4nD0m`, `F4k3T0k3n`, `dummy`), or `NODE_OPTIONS=--require` analyzer hooks are detected, confirming hostile intent. The detached + unref'd spawn pattern is designed to outlive the install process and hide output.
Compromised versions (1)
- 1.10.0
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.