Malicious code in npm-sandbox-ping-c8f2a (npm)

__

Source: amazon-inspector (f5401a81d56283c310efebfe29af19c3e3fa331667f40adeed71a54627adc877)

Package declares a postinstall hook ("postinstall": "node run.js" in package.json) that executes on every install. Bundled scripts beacon6.js and beacon_linux.js use require('child_process') to gather host identity (whoami, os.hostname(), os.platform()) and POST the collected data to a remote HTTP endpoint via http.request(...). The package name npm-sandbox-ping-c8f2a and the beacon-style file naming together with no legitimate library functionality indicate the install-time goal is host fingerprinting / callback to an attacker-controlled destination, not any documented purpose. Installing this package automatically transmits installer machine identity off-host.