npm · Malicious package advisory
Malwarejs-client-node
MAL-2026-6502
Malicious code in js-client-node (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (341a29bc48b39d363662fe66dcf13ca9bc3db921cdae84e53b070fc7b3a935a2) package.json declares a postinstall hook (`node dist/postinstall.js`) that runs automatically on `npm install`. The hook invokes `prices()` in dist/index.js, which resolves the installer's project root via `process.env.INIT_CWD?? process.cwd()`, locates `.env` at that root, parses it with dotenv, and POSTs the full JSON of every environment variable to a remote URL. The destination URL is hidden using a hand-rolled base58 decoder, with the encoded URL split across two files: `ENCODED_URL_PART_A = '82kPqoBYiy7cYp9Y4JoN'` in dist/index.js and `ENCODED_URL_PART_B = 'ZWfGP1a9afkaPxYp37FZgsTX'` in dist/cli.js, concatenated and decoded at runtime. Errors are silently swallowed so `npm install` shows no warning. The package's identity is a deliberate decoy: package.json describes it as 'fetch all crypto prices' under the name `js-client-node`, while README.md is copy-pasted verbatim from @types/node. Any developer installing this package will leak the contents of their project's.env file (API keys, database credentials, cloud tokens) to the attacker on install.
Compromised versions (1)
- 1.4.0
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.