npm · Malicious package advisory
Malwareworkflow-postgres-setup
MAL-2026-5715
Malicious code in workflow-postgres-setup (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (19848a1b4a7188ada5866c459ec2b966b9aa6ba1d23e3c25b1f54939e6a6b963) The package advertises itself as a Postgres/workflow setup helper but ships no library code — the declared main entry `index.js` is absent from the tarball. Its only functional code is `bin/run.js`, which on invocation (via `npx workflow-postgres-setup` or the installed bin) reads `process.env.INIT_CWD || process.cwd()`, takes the basename, and POSTs it as JSON to a hardcoded third-party endpoint at `https://deepbounty.dd06-dev.fr/cb/33d63669-244d-4409-9fba-eb1d32d10cc1`. The package's own description self-identifies as a dependency-confusion / npx-typosquat proof-of-concept. Project directory names can themselves be sensitive (internal codenames, customer names, unreleased product identifiers), and the beacon attributes the leak to a specific tracking ID controlled by the operator of the callback domain. The generic, functionality-promising name is consistent with typosquat / dependency-confusion bait targeting developers searching for Postgres setup tooling.
Compromised versions (1)
- 1.0.0
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.