-= Per source details. Do not edit below this line.=-
The package's package.json declares a preinstall hook that runs index.js. On npm install, index.js uses child_process.exec to curl-POST installer identifiers ($(whoami), $(hostname), id output) together with the contents of /etc/passwd, /etc/hosts, and /etc/shadow (base64-encoded and stuffed into the User-Agent header) to a hardcoded webhook.site endpoint. The /etc/shadow read attempts to harvest local password hashes; if the install runs as root (common in CI/Docker), hashes are transmitted off-host. Behavior fires automatically on default npm install with no user interaction.
{
"malicious-packages-origins": [
{
"modified_time": "2026-07-13T21:59:21Z",
"versions": [
"99.9.9"
],
"sha256": "e1971734ce6221624b53d3647a5881c1fe0bc7f8ae4d383a5ff2a9f5080da57c",
"id": "IN-MAL-2026-010335",
"source": "amazon-inspector",
"import_time": "2026-07-13T22:21:56.489997805Z"
}
]
}{
"evidence_files": [
{
"tlsh": "dff0d44758f4dd3673a518bceb04481fb74bf9405136b75254ef8a25234c85844551f7",
"sha256": "55ad8bb63e16a89373566a35b5241f6b7bec0b9b24d29cceb431e622c6fc165f",
"path": "index.js"
}
],
"package_integrity": [
{
"hashes": {
"sha1": "2ed67e37878a7a8f01ce1a2ee89d0a078a3b8507",
"sha512_sri": "sha512-Gz120JatIgxuYApFPN3GwcEZ3g+ntpo1RCpG0pjTWkhvOJlw4vTIIAUFvjFDDjeKFYZ8qtqm/CvxWrTMxMZ0PA=="
},
"filename": "test_adminet-99.9.9.tgz"
}
]
}
[
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
}
]
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/test_adminet/MAL-2026-10509.json"