Malicious code in npm-sandbox-research-9c4e (npm)

__

Source: amazon-inspector (24c86d7d2179375f642423fc8c38f58f5740b543bacab149ba8d4cbdcd7dc4cf)

On install, package.json runs node run.js via a postinstall lifecycle hook. The package ships beacon scripts (beacon9.js, beacon_linux.js) that import child_process, os, and http, collect host identity (os.hostname(), os.platform()) and issue outbound HTTP POST/GET requests. This is the canonical install-time host beacon / command-execution shape: arbitrary code runs on the installer's machine via npm install, host fingerprints are emitted over the network, and child_process is available to execute received instructions. The package name (npm-sandbox-research-*) and shipped contents are inconsistent with any legitimate library purpose.