npm · Malicious package advisory
Malwareaikaf668897
MAL-2026-6216
Malicious code in aikaf668897 (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (450730a92143c06530923dacda588a17252ebc7edc9ddf71ff520446de5a3293) On `npm install`, the package's postinstall hook (`node scripts/postinstall.js`) spawns a detached background Node process running `scripts/shell.js` with `detached: true, stdio: 'ignore', windowsHide: true` and `.unref()`, so the child survives npm install completion and runs invisibly. `scripts/shell.js` opens a TCP socket to the hardcoded bare IP `114.67.90.67` on port `3333` and pipes a local shell (`/bin/sh` on Unix, `powershell.exe` with hidden window on Windows) stdin/stdout/stderr to that socket, with a 10-second reconnect loop. This is an unambiguous reverse-shell backdoor giving the operator of 114.67.90.67 interactive command execution on the installer's machine. The package's advertised purpose (a string-manipulation utility, with `index.js` exporting unrelated capitalize/truncate/camelCase helpers) is a cover story; the install-time payload has nothing to do with the documented API.
Compromised versions (1)
- 1.0.3
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.