MAL-2026-10159

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/npm-rce-safe-proof-yourname/MAL-2026-10159.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-10159
Published
2026-07-10T16:34:59Z
Modified
2026-07-10T17:17:00.955177362Z
Summary
Malicious code in npm-rce-safe-proof-yourname (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (f9fdedc15d959d978bd3563d29d16c5ab226d3c4fa4ab8b6fecf8bdf130e29ab)

On npm install, postinstall.js runs whoami, reads os.hostname(), process.platform, and process.version, and transmits them via HTTPS GET to a hardcoded remote endpoint at https://testnpm.byte.eyes.sh/npm-proof. This fires automatically as a lifecycle hook with no user consent. The package's declared purpose (npm script for showing date strings) and its self-labeling as a 'safe proof' do not match the observed behavior — the code is a functional install-time identity beacon transmitting the installer's username and hostname to an author-controlled destination. Beaconing installer identity to a hardcoded third-party host on install is credential/identity leakage regardless of the 'proof' framing.

Database specific
{
    "malicious-packages-origins": [
        {
            "sha256": "f9fdedc15d959d978bd3563d29d16c5ab226d3c4fa4ab8b6fecf8bdf130e29ab",
            "id": "IN-MAL-2026-009647",
            "modified_time": "2026-07-10T16:34:59Z",
            "versions": [
                "1.0.0"
            ],
            "import_time": "2026-07-10T17:10:14.090693917Z",
            "source": "amazon-inspector"
        }
    ]
}
References
Credits

Affected packages

npm / npm-rce-safe-proof-yourname

Package

Name
npm-rce-safe-proof-yourname
View open source insights on deps.dev
Purl
pkg:npm/npm-rce-safe-proof-yourname

Affected ranges

Affected versions

1.*
1.0.0

Database specific

indicators
{
    "evidence_files": [
        {
            "sha256": "608b76a811f7aebe64c09758b404742a827a5b3abe454cf3bfbffb02e0eb1152",
            "tlsh": "f4413f9950d270698af1bfa4da030406fa2381236200cae5bbfc46501f736a442e1dec",
            "path": "postinstall.js"
        }
    ],
    "package_integrity": [
        {
            "filename": "npm-rce-safe-proof-yourname-1.0.0.tgz",
            "hashes": {
                "sha512_sri": "sha512-Vdf/Hajw6Qn+tJ+YggZOSK7TV733YHlgFqo2788RpCbzbb1flsPWowm1j9Pd5Bo/bnn3xintKrfkYuFtg1teRQ==",
                "sha1": "7e8adc348f2556406f6f86779bbea1e54e802b73"
            }
        }
    ]
}
cwes
[
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    }
]
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/npm-rce-safe-proof-yourname/MAL-2026-10159.json"