VYPR

npm · Malicious package advisory

Malware

buffer-wrap-67d7

MAL-2026-6348

Malicious code in buffer-wrap-67d7 (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (a0192c1f2bf35c50a401e2df63f505564880339f5329c0ffcfdb8748cd6d48e3)
The package declares a postinstall hook (`"postinstall": "node run.js"`) that executes run.js automatically on `npm install`. run.js imports `os`, `fs`, `http`, `https`, and `child_process`, and collects host and user identity signals including `os.hostname()`, `os.userInfo()`, `os.platform()`, `process.env.USER`, and `process.cwd()`, alongside filesystem reads (`fs.existsSync`, `fs.readFileSync`). Collected data is base64-encoded (`Buffer.from(...).toString('base64')`) and POSTed out via http/https calls (multiple POST sites at run.js lines 131, 339, 346). The composition — automatic lifecycle trigger, system/user reconnaissance, base64 packaging, and outbound POSTs — is the canonical install-time exfiltration shape and produces direct attacker benefit (host fingerprinting and credential-adjacent data leaving the installer's machine).

Compromised versions (1)

  • 1.0.0

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.