npm · Malicious package advisory
Malwarenpmkekw
MAL-2026-6363
Malicious code in npmkekw (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (74384b76540c8d36fef8a30dc2acd3224defeaa8a58d0155101f2f670aa8b153) The package's main module (index.js) exports an `init()` function that spawns `/bin/bash` via `child_process.exec` and opens a TCP socket to the hardcoded remote address 49.13.148.41:443, piping the shell's stdio through the socket — a textbook reverse-shell backdoor giving the operator at that IP interactive command execution on any host that calls `init()`. Package metadata is consistent with a throwaway attack vehicle: empty `description`, empty `author`, non-descriptive name `npmkekw`, and no other functional code. The payload as shipped contains a typo (references an undefined `sh` variable and pipes from `cp.stdout`) so it crashes on first use, but the intent and structure are unambiguous and a one-character fix would make it functional.
Compromised versions (4)
- 2.0.0
- 2.0.3
- 2.0.5
- 2.0.1
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.