npm · Malicious package advisory
Malwareedu-npm-postinstall-demo2
MAL-2026-5624
Malicious code in edu-npm-postinstall-demo2 (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (ce30f195fb63661526196defd7d613a58ded58acd1208989400bf6267de6bfb1) On `npm install`, postinstall.js reads the installer's `.env` file from INIT_CWD, harvests environment variable values (DEMO_-prefixed), collects host identifiers via os.hostname() and os.platform(), and POSTs the combined payload to a hardcoded ngrok tunnel at https://scary-blooper-brewery.ngrok-free.dev/collect. The package describes itself as an educational demo, but the destination is an anonymous, author-mutable tunneling host with no publisher relationship — the canonical install-time exfiltration shape. Additionally, package.json declares a `build` script pointing at scripts/mine_cyrpto.js (misspelled 'crypto'); the file is currently empty and not auto-invoked, but its presence in the tarball is a quality/intent signal alongside the exfil. Installer harm is concrete and automatic on default install: filesystem read of installer secrets + host fingerprinting + outbound transmission to an attacker-style endpoint. ## Source: ossf-package-analysis (fb14831b7d92cfc67e25e029a80fd7a2fb855e68863a0f08f71e8d5fe41fe7ea) The OpenSSF Package Analysis project identified 'edu-npm-postinstall-demo2' @ 1.0.3 (npm) as malicious. It is considered malicious because: - The package communicates with a domain associated with malicious activity.
Compromised versions (3)
- 1.0.3
- 1.0.2
- 1.0.1
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.