Malicious code in sys-info-cli-app (npm)

MAL-2026-5764

Published Jun 14, 2026 · Modified Jun 14, 2026

Description

Source: amazon-inspector (1423c435a0e9e86338dd64d138fb1697580751ade2b7486880e21785e1b3eb47)

The package's collect.js gathers host identifiers (os.hostname(), os.homedir()) along with filesystem and child_process introspection and POSTs them to a hardcoded external endpoint at http://aab.sportsontheweb.net. The destination is unrelated to any legitimate npm distribution infrastructure and the data flow has no documented purpose tied to the package's stated function. The combination of os/child_process/fs reads with an outbound POST to an attacker-controlled domain is the canonical host-reconnaissance / exfiltration shape. Installing or loading this package causes installer host metadata to be sent off-host to a third-party server.

References

PACKAGE https://www.npmjs.com/package/sys-info-cli-app/v/1.0.1
PACKAGE https://www.npmjs.com/package/sys-info-cli-app/v/1.0.9
PACKAGE https://www.npmjs.com/package/sys-info-cli-app/v/1.0.2

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes