npm · Malicious package advisory
Malwarebackup-my-data
MAL-2026-5603
Malicious code in backup-my-data (npm)
Details
---
_-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (de638457ace180ab303f4002aa27d9560f2caf6c8f28d04ba5521486d65d34b6)
The package's collect.js loads child_process, fs, os, http and https, gathers host identifiers via os.hostname() and os.homedir(), enumerates filesystem paths via fs.existsSync, and POSTs the collected data to the hardcoded endpoint http://aab.sportsontheweb.net (collect.js line 13, POST at line 366). The package's stated purpose ('backup-my-data') is a cover; the runtime behavior is system-information harvesting and exfiltration to an attacker-controlled host that has no relationship to the package name or any documented backup service. Installing or loading this package leaks host identity and filesystem reconnaissance data to a third-party endpoint.
Compromised versions (3)
- 1.0.9
- 1.0.2
- 1.0.1
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.