npm · Malicious package advisory
Malwareaikaf6688812
MAL-2026-6215
Malicious code in aikaf6688812 (npm)
Details
---
_-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (fcdebe342ec1c629835301869934fab1a4800c98116a337ec33b05def92d33e7)
package.json declares a `postinstall` hook that runs `scripts/postinstall.js`, which spawns `scripts/shell.js` as a detached, stdio-ignored background process (`spawn(process.execPath, [path.join(__dirname, 'shell.js')], { detached: true, stdio: 'ignore', windowsHide: true })`). scripts/shell.js opens a TCP socket to the hardcoded host 114.67.90.67 on port 3334 and pipes the local shell to that socket — `/bin/sh -i` on POSIX, hidden `powershell.exe` on Windows — with an automatic reconnect loop every 10 seconds. Any machine that runs `npm install aikaf6688812` immediately yields persistent interactive shell access at the operating-system level to whoever controls 114.67.90.67. The package's stated purpose is string utilities; the network and shell behavior is unrelated to that purpose. Author metadata (`frontend-dev`) and the repo URL point to a non-existent GitHub project, consistent with a disposable lure.
Compromised versions (1)
- 1.0.3
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.