npm · Malicious package advisory
Malwareinsomnia-plugin-poc-m4gester2
MAL-2026-6553
Malicious code in insomnia-plugin-poc-m4gester2 (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (1b2b63f22e7d0d8f23c608a3c109163e06e2bd6a1dd716305e0d8adaf6be6b86) Package ships only a package.json with no plugin code, declaring a postinstall lifecycle script that runs `echo PWNED_BY_DEEPLINK > /tmp/pwned.txt` on every `npm install`. This writes a marker file to the installer's filesystem and demonstrates arbitrary command execution at install time. The package name self-identifies as a proof-of-concept (`poc-m4gester`) and adopts the `insomnia-plugin-*` namespace despite shipping no Insomnia plugin functionality. While the current payload is a benign marker write, the postinstall is an arbitrary-shell-on-install primitive with no legitimate purpose, in a namespace-squat shell of a package.
Compromised versions (2)
- 1.0.1
- 1.0.0
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.