VYPR

npm · Malicious package advisory

Malware

delta-time-32bb

MAL-2026-6351

Malicious code in delta-time-32bb (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (bcbd5b3b8f7702c8cf59c094e98f078f68563d407235bce1dd0ec6e6522fe03b)
Package declares a postinstall hook ("postinstall": "node run.js" in package.json) that executes run.js automatically on npm install. run.js imports os, fs, http, https, and child_process and collects host identifiers and environment data — os.hostname(), os.userInfo(), os.platform(), process.env.USER, process.cwd() — base64-encodes the payload via Buffer.from(...).toString('base64'), and POSTs over http/https. The package has no documented purpose justifying install-time host reconnaissance and outbound network. The shape (lifecycle-triggered collection of host identity + environment + base64 wrapping + HTTP POST) is a credential/host-recon exfiltration beacon executed without user interaction on default install.

Compromised versions (1)

  • 1.0.0

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.