VYPR

npm · Malicious package advisory

Malware

insomnia-test-util-m4gester

MAL-2026-6554

Malicious code in insomnia-test-util-m4gester (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (3af3f61639cfac47d91b75ec177ce18a07c29535b0f39806a286093e739494c8)
Package ships no functional code and exists solely to execute a shell command on `npm install`. The `postinstall` lifecycle hook runs `echo PWNED_BY_DEEPLINK > /tmp/pwned.txt`, dropping a marker file at `/tmp/pwned.txt` on the installer's machine. The self-identifying marker string (`PWNED_BY_DEEPLINK`) confirms the package's only purpose is to demonstrate arbitrary install-time code execution against installers. The package name mimics the Insomnia (Kong) HTTP-client ecosystem naming convention while the publishing handle is unrelated, consistent with a lure/PoC namespace-abuse shape. Although the present payload is a benign marker write, the install-time arbitrary-command-execution primitive is fully wired and would execute any command the maintainer publishes in a future version.

Compromised versions (2)

  • 1.0.0
  • 1.0.1

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.