Malicious code in npm-sandbox-research-8b2f (npm)

__

Source: amazon-inspector (916280d3906e0f04caa7f46135039e4a42b03a5c96091c1555ad2ab0e86b923b)

On install, package.json runs postinstall: node run.js, which loads beacon scripts (beacon8.js, beacon_linux.js) that import child_process, os, and http, gather host identity (output of whoami, os.hostname(), os.platform()), and POST the collected data to a hardcoded HTTP endpoint via http.request(...). This fires automatically on npm install, providing attacker-controlled reconnaissance of every installer host with no user interaction. The behavior — privileged shell command execution, host identity collection, and outbound HTTP POST from a postinstall hook — matches the active-attack reconnaissance/beacon fingerprint.