-= Per source details. Do not edit below this line.=-
On npm install, postinstall.js runs automatically and performs two unauthorized actions against the installer. First, it POSTs a JSON fingerprint of the installing machine — os.hostname(), os.userInfo().username, platform, arch, node version, cwd, INITCWD, npm user-agent, and the sorted list of every process.env variable name — to a hardcoded webhook.site canary URL (https://webhook.site/a428f027-90c9-45e2-acca-ffbb4ea86044) that the installer never configured. Second, it walks common project locations under INITCWD (index.html, public/index.html, src/index.html, dist/index.html, build/index.html) and rewrites each file via fs.writeFileSync to inject a fixed-position red banner div into the page body. The environment-variable name inventory reveals which credentials are present on the host, and the HTML rewrite silently modifies files the installer owns at install time.
{
"malicious-packages-origins": [
{
"versions": [
"1.0.1"
],
"id": "IN-MAL-2026-009585",
"import_time": "2026-07-09T22:56:36.883954615Z",
"modified_time": "2026-07-09T22:52:20Z",
"sha256": "a8693677ff1f1f887c11d3b4f6ad3f1742c7eefd07b6b8cfabd6cfccc32bc48f",
"source": "amazon-inspector"
},
{
"sha256": "af550191d3d4cb2984b26cf7a5aba9ae8c003fa781008b7d7821110d4eefa62d",
"id": "IN-MAL-2026-009587",
"modified_time": "2026-07-09T22:52:35Z",
"versions": [
"1.0.2"
],
"import_time": "2026-07-09T22:56:37.07679088Z",
"source": "amazon-inspector"
}
]
}{
"evidence_files": [
{
"sha256": "29514935dcc304a025ea79b7385998bcb040e067da03eeace456985a73125041",
"tlsh": "bd71e9820e2442392ab629e053af6546e3b6d1014194f970f85ed0582fd12b4075bfee",
"path": "postinstall.js"
}
],
"package_integrity": [
{
"filename": "polipoli-pak-1.0.2.tgz",
"hashes": {
"sha512_sri": "sha512-rNxmFMVIYrd5sqNavgBJTZe9b9MENi6RuHLS0mOZ2gyiIyQEsDITvzGS/JYzT4uRNzHwHKQInCbCymzwjlL+/g==",
"sha1": "6d422b1d6d5a405abed6076b0ae3f4b25471df9d"
}
}
]
}
[
{
"name": "Embedded Malicious Code",
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature."
},
{
"name": "Embedded Malicious Code",
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature."
}
]
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/polipoli-pak/MAL-2026-10099.json"