npm · Malicious package advisory
Malwareebpf-tracker-action
MAL-2026-6077
Malicious code in ebpf-tracker-action (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (f51f94366660f50b3ffaacedda1e956035ca8a7e5e0cadc33f2aefc20dd8a6a3) package.json declares `preinstall: node index.js`, which fires automatically on `npm install`. index.js collects hostname (os.hostname()), username (os.userInfo()), homedir, DNS servers, and package paths, reads /etc/passwd and /etc/hosts via fs.readFileSync, and HTTPS-POSTs the JSON payload to 66az91mywqmmbqau9k79bum1us0jo9cy.oastify.com (a Burp Collaborator subdomain). Package metadata (empty author, empty description, generic CI-flavored name `ebpf-tracker-action`) is consistent with a dependency-confusion attack targeting an internal package name. Any machine that installs this package leaks system identity and local account data to an attacker-controlled host at install time.
Compromised versions (1)
- 1.0.1
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.