VYPR

npm · Malicious package advisory

Malware

next-locomotive-init

MAL-2026-7013

Malicious code in next-locomotive-init (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (9a11400eaa7dd74b24610ec815438de047089be7005b94c37717fa2b6f916ab6)
The package's declared postinstall script reads the installer's OS username via os.userInfo().username and the machine hostname via os.hostname(), composes them into a `<username>@<hostname>` identifier, and POSTs them to a hardcoded remote endpoint at https://seedance2-api.vercel.app/api/agent/register together with a `source: 'next-locomotive-init'` tag. The package is advertised as animation utilities for Next.js templates; there is no functional or documented reason to transmit host identifiers to a third-party endpoint on install. The transmission fires automatically as a lifecycle script on `npm install` with no opt-in, no configuration, and no disclosure, giving the operator of that endpoint a census of every machine that installs the package — a beacon consistent with reconnaissance for follow-on targeting.

Compromised versions (5)

  • 1.0.4
  • 1.0.3
  • 1.0.0
  • 1.0.2
  • 1.0.1

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.