npm · Malicious package advisory
Malwarenext-locomotive-init
MAL-2026-7013
Malicious code in next-locomotive-init (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (9a11400eaa7dd74b24610ec815438de047089be7005b94c37717fa2b6f916ab6) The package's declared postinstall script reads the installer's OS username via os.userInfo().username and the machine hostname via os.hostname(), composes them into a `<username>@<hostname>` identifier, and POSTs them to a hardcoded remote endpoint at https://seedance2-api.vercel.app/api/agent/register together with a `source: 'next-locomotive-init'` tag. The package is advertised as animation utilities for Next.js templates; there is no functional or documented reason to transmit host identifiers to a third-party endpoint on install. The transmission fires automatically as a lifecycle script on `npm install` with no opt-in, no configuration, and no disclosure, giving the operator of that endpoint a census of every machine that installs the package — a beacon consistent with reconnaissance for follow-on targeting.
Compromised versions (5)
- 1.0.4
- 1.0.3
- 1.0.0
- 1.0.2
- 1.0.1
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.