npm · Malicious package advisory
Malwaredata-utils-bcf2
MAL-2026-6090
Malicious code in data-utils-bcf2 (npm)
Details
---
_-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (52e6ddf4cbc1a035918a5bd136c865ff526f430db21268d75d3c90fa74196fdf)
The package declares a postinstall lifecycle hook ("postinstall": "node run.js" in package.json) that automatically executes run.js on install. run.js imports os, fs, http, https, and child_process, collects host identifying information (os.hostname(), os.platform()), reads files from disk (fs.readFileSync, fs.existsSync), and issues multiple POST requests over HTTP/HTTPS (run.js lines 134, 137, 348, 355). The combination of automatic install-time execution, host fingerprinting, filesystem reads, and outbound POSTs is the canonical install-time exfiltration shape. Installing this package on a developer machine or CI runner will run the reconnaissance and exfiltration code without user interaction.
Compromised versions (1)
- 1.0.0
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.