npm · Malicious package advisory
Malwareatlasora-config
MAL-2026-6239
Malicious code in atlasora-config (npm)
Details
---
_-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (f33093da9f0bcf9358f3b00bd87e723d95267074539c72511ab58bff4172f092)
The package declares a postinstall hook in package.json ("postinstall": "node install.js") that auto-executes install.js on every npm install. install.js imports https, fs, os, and child_process; collects host identity via os.hostname() and os.userInfo() (line 16, 18); reads filesystem state with fs.existsSync (lines 53, 62, 83); shells out via execSync (line 77); and POSTs the collected data over an https.request to a remote endpoint (lines 96, 104, 113). The combination of host/user identity collection, filesystem probing, command execution, and outbound HTTPS POST inside a postinstall script is the canonical install-time exfiltration shape. Installing the package causes the installer's machine identity and environment data to be transmitted to a remote endpoint without consent.
Compromised versions (1)
- 1.0.0
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.