npm · Malicious package advisory
Malwarewp-env
MAL-2026-5582
Malicious code in wp-env (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (ec2e092036cea9a9b2563e18b3d588ab046800c2160fb820081423b909066759) Package squats the `wp-env` CLI name commonly invoked as `npx wp-env` by users intending @wordpress/env. The package ships only `bin/run.js` (declared `main: index.js` is absent from the tarball), so its sole execution surface is the bin script that fires when a developer runs `npx wp-env`. On execution, bin/run.js reads `process.env.INIT_CWD`, derives the basename of the installer's project directory, and POSTs it together with timestamp and package metadata to a hardcoded callback URL `https://deepbounty.dd06-dev.fr/cb/dc43de99-70fc-4782-8668-bec6eee1975b`. The package self-describes as a 'Security PoC for Bug Bounty' — name-confusion attack against @wordpress/env combined with concrete installer-side data exfiltration (the project directory basename, sent to an attacker-controlled host that uses a per-target callback path to identify successfully-confused victims). This satisfies both the typosquat shape (≤2 char edit / namespace confusion vs. @wordpress/env's `wp-env` CLI) and a concrete exfil payload to an attacker-controlled destination.
Compromised versions (1)
- 1.0.0
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.