VYPR

npm · Malicious package advisory

Malware

insomnia-plugin-poc-m4gester2

MAL-2026-6553

Malicious code in insomnia-plugin-poc-m4gester2 (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (1b2b63f22e7d0d8f23c608a3c109163e06e2bd6a1dd716305e0d8adaf6be6b86)
Package ships only a package.json with no plugin code, declaring a postinstall lifecycle script that runs `echo PWNED_BY_DEEPLINK > /tmp/pwned.txt` on every `npm install`. This writes a marker file to the installer's filesystem and demonstrates arbitrary command execution at install time. The package name self-identifies as a proof-of-concept (`poc-m4gester`) and adopts the `insomnia-plugin-*` namespace despite shipping no Insomnia plugin functionality. While the current payload is a benign marker write, the postinstall is an arbitrary-shell-on-install primitive with no legitimate purpose, in a namespace-squat shell of a package.

Compromised versions (2)

  • 1.0.1
  • 1.0.0

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.