VYPR

npm · Malicious package advisory

Malware

insomnia-plugin-poc-m4gester

MAL-2026-6552

Malicious code in insomnia-plugin-poc-m4gester (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (0eb7024d158c345559d9f130ba3a6b52563328467ec6bb560e196e5c7bc9b955)
package.json declares a postinstall lifecycle hook that runs a shell command writing a marker file to /tmp on `npm install` (`"postinstall": "echo PWNED_BY_DEEPLINK > /tmp/..."`). The package ships no library code, no plugin implementation, and the description field is literally "test" — there is no advertised functionality to justify the install-time shell execution. The package name `insomnia-plugin-poc-m4gester` further self-identifies as a proof-of-concept exploit targeting the Insomnia REST client plugin namespace. Installing this package results in attacker-chosen shell execution on the installer's machine; the current payload is benign (a marker file write) but the mechanism is arbitrary code execution at install time and could trivially be swapped for a destructive or exfiltrating command in a future version.

Compromised versions (1)

  • 1.0.0

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.