npm · Malicious package advisory
Malwarepostinstall-logger-7x9z
MAL-2026-5738
Malicious code in postinstall-logger-7x9z (npm)
Details
---
_-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (6e89b603ffc718873a9d4c42167bf0c667c995cc2547bc9b99373ad4e9f0ca1e)
On install, package.json's postinstall hook ("postinstall": "node run.js") triggers execution of bundled beacon scripts (beacon15.js and beacon_linux.js). These scripts pull in child_process, os, and http modules and issue outbound HTTP GET/POST requests carrying host identifiers including os.hostname() and os.platform(). The combination of automatic execution at install time, host-information collection, and outbound HTTP requests to a hardcoded destination is the canonical install-time exfiltration beacon shape. Any developer or CI system running `npm install` for this package will silently leak host data and execute code from the bundled scripts under the installing user's privileges.
Compromised versions (1)
- 1.0.0
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.