VYPR
← All malware advisories

npm · Malicious package advisory

Malware

node-app-doctor

MAL-2026-5733

Malicious code in node-app-doctor (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (addccbccd4c3c52cd67098a571ed77a4f55ea2303746f421b22b5bbf175a345e)
collect.js gathers host identifiers via os.hostname() and os.homedir(), reads local filesystem state with fs.existsSync, spawns child_process commands, and POSTs the collected data to the hardcoded endpoint http://aab.sportsontheweb.net. The destination domain is unrelated to any legitimate npm/Node tooling publisher and there is no plausible benign reason for a 'node app doctor' utility to ship installer/host telemetry to that host. The combination of system enumeration (hostname, home directory, child_process), filesystem inspection, and hardcoded plaintext HTTP POST to an unaffiliated domain is the standard host-fingerprint exfiltration shape.

Compromised versions (3)

  • 1.0.9
  • 1.0.2
  • 1.0.1

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.