npm · Malicious package advisory
Malwaresafe-json-38bd
MAL-2026-6356
Malicious code in safe-json-38bd (npm)
Details
---
_-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (523c83ae906ad871cb1ea3ffef4c0ae4e2d9f717376b86e97f6575e47cbc640d)
package.json declares a postinstall hook ("postinstall": "node run.js") that executes run.js automatically on `npm install`. run.js imports os, fs, http, https, and child_process and gathers host identity and environment data: os.hostname(), os.userInfo(), os.platform(), process.env.USER, process.cwd(), plus filesystem reads via fs.readFileSync / fs.existsSync. The collected data is base64-encoded (Buffer.from(...).toString('base64')) and POSTed out via HTTP/HTTPS at multiple call sites in the same script. The package name has no documented purpose that would justify install-time host reconnaissance, base64 wrapping, or outbound POSTs. Combined fingerprints (lifecycle-hook auto-execute + host-identity collection + base64 encoding + outbound HTTP POST) match a credential / system-intel exfiltration dropper.
Compromised versions (1)
- 1.0.0
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.