VYPR

npm · Malicious package advisory

Malware

@checkrhq/adjudication-api-client

MAL-2026-6789

Malicious code in @checkrhq/adjudication-api-client (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (8c52d9987ace09f0c48d8b0661bd1fcd3cf4e7e701b5e515810c7f32d99086cf)
package.json declares a preinstall lifecycle script that runs `curl` to POST installer reconnaissance data — hostname, current user (whoami), working directory, and uid/gid (id) — to a hardcoded webhook.site collector endpoint on every `npm install`. The package is published under an @checkrhq scope impersonating Checkr Inc. (author email uses checkr.com; description states 'This package is for testing only.') and ships no functional code, matching the canonical dependency-confusion beacon pattern targeting an organization's internal package namespace. Installing this package causes automatic outbound transmission of host and user identifiers to an anonymous third-party collector controlled by the publisher.

## Source: ossf-package-analysis (dc8d5c39d401d053978bb8f17234bc79db730d15b55634319f239baf32dc9b0b)
The OpenSSF Package Analysis project identified '@checkrhq/adjudication-api-client' @ 0.0.2 (npm) as malicious.

It is considered malicious because:

- The package executes one or more commands associated with malicious behavior.

Compromised versions (1)

  • 0.0.2

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.