npm · Malicious package advisory
Malware@checkrhq/adjudication-api-client
MAL-2026-6789
Malicious code in @checkrhq/adjudication-api-client (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (8c52d9987ace09f0c48d8b0661bd1fcd3cf4e7e701b5e515810c7f32d99086cf) package.json declares a preinstall lifecycle script that runs `curl` to POST installer reconnaissance data — hostname, current user (whoami), working directory, and uid/gid (id) — to a hardcoded webhook.site collector endpoint on every `npm install`. The package is published under an @checkrhq scope impersonating Checkr Inc. (author email uses checkr.com; description states 'This package is for testing only.') and ships no functional code, matching the canonical dependency-confusion beacon pattern targeting an organization's internal package namespace. Installing this package causes automatic outbound transmission of host and user identifiers to an anonymous third-party collector controlled by the publisher. ## Source: ossf-package-analysis (dc8d5c39d401d053978bb8f17234bc79db730d15b55634319f239baf32dc9b0b) The OpenSSF Package Analysis project identified '@checkrhq/adjudication-api-client' @ 0.0.2 (npm) as malicious. It is considered malicious because: - The package executes one or more commands associated with malicious behavior.
Compromised versions (1)
- 0.0.2
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.