npm · Malicious package advisory
Malwarehex-conv-ae7a
MAL-2026-6352
Malicious code in hex-conv-ae7a (npm)
Details
---
_-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (35d4f6adb1ef40a529deec65b7409b949cd93ad60d6cf3880ff5e8f0079fef1f)
The package's package.json declares a postinstall hook ("postinstall": "node run.js") that runs run.js automatically on npm install. run.js imports os, fs, http, https, and child_process and collects host identity and environment data including os.hostname(), os.userInfo(), os.platform(), process.env.USER, and process.cwd(), reads files from the filesystem (fs.readFileSync, fs.existsSync), base64-encodes payloads via Buffer.from(...).toString('base64'), and POSTs the result over http/https to a remote endpoint. This is the canonical install-time host-reconnaissance and exfiltration shape: a default `npm install` of this package automatically sends installer machine information off-host without any user interaction or documented purpose. The package name (hex-conv with a random hex suffix) is consistent with throwaway/disposable squatting infrastructure and the package has no legitimate library functionality matching this behavior.
Compromised versions (1)
- 1.0.0
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.