Malicious code in npm-sandbox-research-c5d6 (npm)

__

Source: amazon-inspector (e7dd3f64f94b15f73c62c5733a5910802ff22adc514e0eb08e153817fcd4158b)

The package declares a postinstall hook ("postinstall": "node run.js") that executes automatically on npm install. The shipped beacon scripts (beacon11.js, beacon_linux.js) load child_process, os, and http, read host identifiers via os.hostname() and os.platform(), and issue outbound HTTP GET/POST requests carrying that data. This is the install-time host-fingerprinting and exfiltration shape: lifecycle execution + system-info collection + outbound network in a single chain, with no legitimate library functionality justifying the behavior.