npm · Malicious package advisory
Malwareqa-handoff
MAL-2026-5571
Malicious code in qa-handoff (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (4939e56124668b7d03f9e2a96dfbfedba53e24aaa5d2190e298547e724b1f851) On `npm install`, the package automatically executes lib/_setup.js via the postinstall lifecycle hook. The script spawns a detached Node process that collects host identifiers (hostname, username, platform, architecture, IPv4 addresses, current working directory, npm registry) and the names of environment variables matching /NPM|NODE|CI|JENKINS|GIT|BUILD|RUNNER|DOCKER|KUBE|REGISTRY/, then HTTPS POSTs that payload to a hardcoded DingTalk bot webhook (oapi.dingtalk.com/robot/send) using an embedded access token. Before sending, the script checks whether the username or hostname contains any of 'sandbox', 'malware', 'analyst', 'cuckoo', 'analysis', 'sample' and silently skips the beacon if so — explicit sandbox/analyst evasion that confirms malicious intent. The pattern matches the canonical dependency-confusion reconnaissance beacon used to fingerprint internal CI/build environments for follow-on attacks.
Compromised versions (1)
- 0.13.0
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.