npm · Malicious package advisory
Malwarenim-submit-for-test
MAL-2026-5570
Malicious code in nim-submit-for-test (npm)
Details
---
_-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (2bf75301042574897cc2f4bd8f3b8939fe4ac7a958f2cfe2404bbbee149797d0)
On npm install, the package's postinstall hook executes lib/_compiler.js, which spawns a detached Node process that collects host identity (hostname, username, cwd, IP addresses, npm registry) and the names of environment variables matching NPM|NODE|CI|JENKINS|GIT|BUILD|RUNNER|DOCKER|KUBE|REGISTRY, then POSTs them via https.request to a hardcoded DingTalk webhook (oapi.dingtalk.com/robot/send) with an embedded access token. Before sending, the script checks the installer's username and hostname against an evasion list ('sandbox','malware','analyst','cuckoo','analysis','sample') and exits silently when matched, to avoid running in security analysis environments. The combination of automatic install-time execution, host/CI metadata collection, hardcoded attacker-controlled webhook, and analyst-environment evasion is a clear supply-chain exfiltration beacon.
Compromised versions (1)
- 2.2.0
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.