{"id":"MAL-2026-10159","summary":"Malicious code in npm-rce-safe-proof-yourname (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (f9fdedc15d959d978bd3563d29d16c5ab226d3c4fa4ab8b6fecf8bdf130e29ab)\nOn `npm install`, postinstall.js runs `whoami`, reads `os.hostname()`, `process.platform`, and `process.version`, and transmits them via HTTPS GET to a hardcoded remote endpoint at https://testnpm.byte.eyes.sh/npm-proof. This fires automatically as a lifecycle hook with no user consent. The package's declared purpose (`npm script for showing date strings`) and its self-labeling as a 'safe proof' do not match the observed behavior — the code is a functional install-time identity beacon transmitting the installer's username and hostname to an author-controlled destination. Beaconing installer identity to a hardcoded third-party host on install is credential/identity leakage regardless of the 'proof' framing.\n","modified":"2026-07-10T17:17:00.955177362Z","published":"2026-07-10T16:34:59Z","database_specific":{"malicious-packages-origins":[{"sha256":"f9fdedc15d959d978bd3563d29d16c5ab226d3c4fa4ab8b6fecf8bdf130e29ab","versions":["1.0.0"],"modified_time":"2026-07-10T16:34:59Z","id":"IN-MAL-2026-009647","source":"amazon-inspector","import_time":"2026-07-10T17:10:14.090693917Z"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/npm-rce-safe-proof-yourname/v/1.0.0"}],"affected":[{"package":{"name":"npm-rce-safe-proof-yourname","ecosystem":"npm","purl":"pkg:npm/npm-rce-safe-proof-yourname"},"versions":["1.0.0"],"database_specific":{"cwes":[{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"}],"indicators":{"evidence_files":[{"sha256":"608b76a811f7aebe64c09758b404742a827a5b3abe454cf3bfbffb02e0eb1152","path":"postinstall.js","tlsh":"f4413f9950d270698af1bfa4da030406fa2381236200cae5bbfc46501f736a442e1dec"}],"package_integrity":[{"hashes":{"sha512_sri":"sha512-Vdf/Hajw6Qn+tJ+YggZOSK7TV733YHlgFqo2788RpCbzbb1flsPWowm1j9Pd5Bo/bnn3xintKrfkYuFtg1teRQ==","sha1":"7e8adc348f2556406f6f86779bbea1e54e802b73"},"filename":"npm-rce-safe-proof-yourname-1.0.0.tgz"}]},"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/npm-rce-safe-proof-yourname/MAL-2026-10159.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}