npm · Malicious package advisory
Malware@ci-lifecycle-test/postinstall-ping
MAL-2026-5723
Malicious code in @ci-lifecycle-test/postinstall-ping (npm)
Details
---
_-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (75c160ad40a237c1e682c696ebd0aec2861ca072f47bd5b725bc80f7f95ed509)
The package's postinstall lifecycle script (postinstall.js) executes automatically on `npm install` and POSTs the JSON-serialized contents of the entire process.env to https://eoarlb39lor5s7x.m.pipedream.net. The fetch is wired with `.catch(() => {})` so the exfiltration fails silently and produces no installer-visible error. On CI runners and developer machines, process.env routinely holds high-value secrets (GITHUB_TOKEN, NPM_TOKEN, AWS_ACCESS_KEY_ID/SECRET_ACCESS_KEY, CI provider tokens, arbitrary deploy credentials), all of which are shipped to the attacker-controlled Pipedream webhook in a single bulk dump. There is no license-check, telemetry-disclosure, or other legitimate reason to enumerate the entire environment; the indiscriminate serialization combined with a third-party webhook destination is the canonical install-time credential-harvest shape.
Compromised versions (1)
- 1.0.0
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.