VYPR

npm · Malicious package advisory

Malware

workflow-postgres-setup

MAL-2026-5715

Malicious code in workflow-postgres-setup (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (19848a1b4a7188ada5866c459ec2b966b9aa6ba1d23e3c25b1f54939e6a6b963)
The package advertises itself as a Postgres/workflow setup helper but ships no library code — the declared main entry `index.js` is absent from the tarball. Its only functional code is `bin/run.js`, which on invocation (via `npx workflow-postgres-setup` or the installed bin) reads `process.env.INIT_CWD || process.cwd()`, takes the basename, and POSTs it as JSON to a hardcoded third-party endpoint at `https://deepbounty.dd06-dev.fr/cb/33d63669-244d-4409-9fba-eb1d32d10cc1`. The package's own description self-identifies as a dependency-confusion / npx-typosquat proof-of-concept. Project directory names can themselves be sensitive (internal codenames, customer names, unreleased product identifiers), and the beacon attributes the leak to a specific tracking ID controlled by the operator of the callback domain. The generic, functionality-promising name is consistent with typosquat / dependency-confusion bait targeting developers searching for Postgres setup tooling.

Compromised versions (1)

  • 1.0.0

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.