npm · Malicious package advisory
Malwaresf-storybook
MAL-2026-6261
Malicious code in sf-storybook (npm)
Details
---
_-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (a5a1a34bbf1dc84732509c5c5bfbd65adcd442b2665367d0c1bd39dc8301001c)
On `require('sf-storybook')`, index.js shells out via child_process to run `cat /etc/passwd >./passwd.txt` and then POSTs the file contents via curl to `http://144.126.158.177:4325/$(whoami)/$(hostname)/` over plaintext HTTP. The package leaks the installer's username, hostname, and full /etc/passwd contents to a hardcoded bare-IP attacker endpoint. The package name impersonates the `storybook` ecosystem, ships empty author/description metadata, and contains only this exfiltration payload with no functionality matching its implied purpose — a typosquat lure with an embedded credential/host recon stealer.
## Source: ossf-package-analysis (961d26175eb7b4d34d87e6cb162f4b9d5a9febcb520b24a4512406d492a829b5)
The OpenSSF Package Analysis project identified 'sf-storybook' @ 1.0.0 (npm) as malicious.
It is considered malicious because:
- The package executes one or more commands associated with malicious behavior.
Compromised versions (1)
- 1.0.0
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.