npm · Malicious package advisory
Malwareinsomnia-test-util-m4gester
MAL-2026-6554
Malicious code in insomnia-test-util-m4gester (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (3af3f61639cfac47d91b75ec177ce18a07c29535b0f39806a286093e739494c8) Package ships no functional code and exists solely to execute a shell command on `npm install`. The `postinstall` lifecycle hook runs `echo PWNED_BY_DEEPLINK > /tmp/pwned.txt`, dropping a marker file at `/tmp/pwned.txt` on the installer's machine. The self-identifying marker string (`PWNED_BY_DEEPLINK`) confirms the package's only purpose is to demonstrate arbitrary install-time code execution against installers. The package name mimics the Insomnia (Kong) HTTP-client ecosystem naming convention while the publishing handle is unrelated, consistent with a lure/PoC namespace-abuse shape. Although the present payload is a benign marker write, the install-time arbitrary-command-execution primitive is fully wired and would execute any command the maintainer publishes in a future version.
Compromised versions (2)
- 1.0.0
- 1.0.1
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.