Malicious code in npm-sandbox-research-e9f0 (npm)

__

Source: amazon-inspector (a18a9932f78294e22aa0a85077b9318233ab0952bc8788ae8987fce3e5002c93)

Package declares a postinstall hook ("postinstall": "node run.js") that executes automatically on npm install. The tarball ships beacon scripts (beacon13.js, beacon_linux.js) that combine require('child_process'), require('os'), and require('http')/http.request to gather host identifiers (os.hostname(), os.platform()) and transmit them via HTTP POST/GET requests. This is the canonical install-time host-recon and exfiltration shape: lifecycle hook auto-execution, host enumeration via the os module, command execution capability via child_process, and outbound HTTP. Installing this package causes immediate disclosure of host metadata and provides a code-execution surface on the installer's machine.