Malicious code in npm-sandbox-research-g3h4 (npm)

__

Source: amazon-inspector (5e119a878730c42d27b9ec21adae1cbc6e044f1d6703c152010b5261647f1a3a)

On install, package.json's postinstall hook executes run.js. The package ships beacon15.js and beacon_linux.js, which import child_process, os, and http and issue outbound HTTP requests carrying host identifiers. beacon_linux.js reads os.hostname() and os.platform() and POSTs them via http.request(); beacon15.js similarly issues GET/http.request() calls referencing host id fields. The combination of a lifecycle hook that runs on every install plus modules that collect host metadata and beacon it outbound matches an install-time host-exfiltration / C2 callback pattern with no legitimate documented purpose.