npm · Malicious package advisory
Malwaresheratan_test_p
MAL-2026-5993
Malicious code in sheratan_test_p (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (472354ac3cd0bba5d399eea2f09e4b7f60cb2cb65e20d4af0f6398882403f566) On `npm install`, the package's postinstall.js executes `whoami` via child_process and POSTs the output (along with stderr, error, and a timestamp) to a hardcoded webhook.site collector URL. The package self-describes as 'A simple date formatting utility' and contains no code matching that purpose; the only behavior on install is the host-identity beacon. Package metadata is consistent with a throwaway exfiltration artifact (placeholder name `sheratan_test_p`, empty author, generic description). Any developer or CI runner installing this package leaks their user/host context to an attacker-controlled third-party collector.
Compromised versions (1)
- 1.0.0
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.