Malicious code in npm-sandbox-research-d7e8 (npm)

__

Source: amazon-inspector (3ff31cbf7e2e36cef422933472638912cd6ee6652ece9b03d11faa98b70d13e9)

Package declares a postinstall lifecycle hook ("postinstall": "node run.js") that auto-executes on install. The package ships beacon scripts (beacon12.js, beacon_linux.js) that import child_process, os, and http, collect host identifiers via os.hostname() and os.platform(), and issue outbound HTTP GET/POST requests via http.request() carrying that data off-host. The combination of automatic install-time execution, host enumeration, and unconditional outbound HTTP to non-registry endpoints is a host-beacon / exfiltration pattern that runs on any developer or CI machine that runs npm install against this package.