VYPR

npm · Malicious package advisory

Malware

wp-env

MAL-2026-5582

Malicious code in wp-env (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (ec2e092036cea9a9b2563e18b3d588ab046800c2160fb820081423b909066759)
Package squats the `wp-env` CLI name commonly invoked as `npx wp-env` by users intending @wordpress/env. The package ships only `bin/run.js` (declared `main: index.js` is absent from the tarball), so its sole execution surface is the bin script that fires when a developer runs `npx wp-env`. On execution, bin/run.js reads `process.env.INIT_CWD`, derives the basename of the installer's project directory, and POSTs it together with timestamp and package metadata to a hardcoded callback URL `https://deepbounty.dd06-dev.fr/cb/dc43de99-70fc-4782-8668-bec6eee1975b`. The package self-describes as a 'Security PoC for Bug Bounty' — name-confusion attack against @wordpress/env combined with concrete installer-side data exfiltration (the project directory basename, sent to an attacker-controlled host that uses a per-target callback path to identify successfully-confused victims). This satisfies both the typosquat shape (≤2 char edit / namespace confusion vs. @wordpress/env's `wp-env` CLI) and a concrete exfil payload to an attacker-controlled destination.

Compromised versions (1)

  • 1.0.0

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.