VYPR

npm · Malicious package advisory

Malware

atlasora-client

MAL-2026-6238

Malicious code in atlasora-client (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (fbd4392d81da887d2d7da24519df3a7d9341ee45e1fc091a724c4f5ede766ae5)
package.json declares "postinstall": "node install.js", which runs automatically on npm install. install.js requires https, fs, os, and child_process; collects host identifiers via os.hostname() and os.userInfo(); invokes execSync() to gather additional system data; checks for sensitive files via fs.existsSync(); and POSTs the collected data over an https.request() to a hardcoded remote endpoint. This is the canonical install-time system-information exfiltration shape: any developer or CI machine that runs `npm install atlasora-client` will silently leak host identity, user account info, and reconnaissance data about local filesystem contents to an attacker-controlled destination.

Compromised versions (1)

  • 1.0.0

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.