VYPR

npm · Malicious package advisory

Malware

sheratan_test_p

MAL-2026-5993

Malicious code in sheratan_test_p (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (472354ac3cd0bba5d399eea2f09e4b7f60cb2cb65e20d4af0f6398882403f566)
On `npm install`, the package's postinstall.js executes `whoami` via child_process and POSTs the output (along with stderr, error, and a timestamp) to a hardcoded webhook.site collector URL. The package self-describes as 'A simple date formatting utility' and contains no code matching that purpose; the only behavior on install is the host-identity beacon. Package metadata is consistent with a throwaway exfiltration artifact (placeholder name `sheratan_test_p`, empty author, generic description). Any developer or CI runner installing this package leaks their user/host context to an attacker-controlled third-party collector.

Compromised versions (1)

  • 1.0.0

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.