VYPR

npm · Malicious package advisory

Malware

atlasora-api

MAL-2026-6237

Malicious code in atlasora-api (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (9776899942c749b493911ca4e33c3b4967308a816e167bd3ee90c95800632f92)
Package declares a postinstall hook ("postinstall": "node install.js") that runs install.js automatically on `npm install`. install.js imports https, fs, os, and child_process and collects host identifiers including os.hostname() and os.userInfo(), uses execSync for additional system enumeration, probes filesystem paths via fs.existsSync, and POSTs the collected data over an outbound https.request. This is the canonical install-time host-reconnaissance / exfiltration pattern: the package's only effect on installation is to harvest system identity and ship it off-host. There is no documented library functionality justifying the network beacon at install time.

Compromised versions (1)

  • 1.0.0

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.