-= Per source details. Do not edit below this line.=-
On npm install, postinstall.js reads the installer's .env file from INITCWD, harvests environment variable values (DEMO-prefixed), collects host identifiers via os.hostname() and os.platform(), and POSTs the combined payload to a hardcoded ngrok tunnel at https://scary-blooper-brewery.ngrok-free.dev/collect. The package describes itself as an educational demo, but the destination is an anonymous, author-mutable tunneling host with no publisher relationship — the canonical install-time exfiltration shape. Additionally, package.json declares a build script pointing at scripts/mine_cyrpto.js (misspelled 'crypto'); the file is currently empty and not auto-invoked, but its presence in the tarball is a quality/intent signal alongside the exfil. Installer harm is concrete and automatic on default install: filesystem read of installer secrets + host fingerprinting + outbound transmission to an attacker-style endpoint.
The OpenSSF Package Analysis project identified 'edu-npm-postinstall-demo2' @ 1.0.3 (npm) as malicious.
It is considered malicious because:
{
"malicious-packages-origins": [
{
"versions": [
"1.0.3"
],
"sha256": "fb14831b7d92cfc67e25e029a80fd7a2fb855e68863a0f08f71e8d5fe41fe7ea",
"source": "ossf-package-analysis",
"modified_time": "2026-06-11T08:25:49Z",
"import_time": "2026-06-11T09:36:25.905564153Z"
},
{
"versions": [
"1.0.3"
],
"sha256": "af1015b5508b476dcc0e9aec7c5692f2a296e4cf4ae25a6190c767fd4fe73ef8",
"modified_time": "2026-06-12T19:07:27Z",
"source": "amazon-inspector",
"import_time": "2026-06-12T19:43:59.012994271Z",
"id": "IN-MAL-2026-006020"
},
{
"versions": [
"1.0.2"
],
"sha256": "ce30f195fb63661526196defd7d613a58ded58acd1208989400bf6267de6bfb1",
"modified_time": "2026-06-12T19:07:26Z",
"source": "amazon-inspector",
"import_time": "2026-06-12T19:43:58.808709978Z",
"id": "IN-MAL-2026-006018"
},
{
"versions": [
"1.0.3"
],
"sha256": "4ede37dc48469ec273b470e4b74c65d4f7dfc5a19afac08339287ba16cd0a46a",
"modified_time": "2026-06-12T19:07:25Z",
"source": "amazon-inspector",
"import_time": "2026-06-12T19:43:58.696694968Z",
"id": "IN-MAL-2026-006017"
},
{
"versions": [
"1.0.1"
],
"sha256": "8c1c93fac029298c9951ee680beaec72a89851dd5d6fdabcce01b740d500ef20",
"modified_time": "2026-06-12T19:07:22Z",
"source": "amazon-inspector",
"import_time": "2026-06-12T19:43:58.178231618Z",
"id": "IN-MAL-2026-006012"
}
]
}{
"package_integrity": [
{
"filename": "edu-npm-postinstall-demo2-1.0.2.tgz",
"hashes": {
"sha512_sri": "sha512-zVNvLre9zYEkphTY9gLWzSZTEZKvBHUcNMIkCNamZJnLsjOLCc8UiNMk7oLWntMvEc6VYz/DzSTb+L6VW18D9A==",
"sha1": "a586db7459aaf4b80262d9977bfcd7ad520d48b6"
}
}
],
"evidence_files": [
{
"sha256": "e33885a839811a2b8643a9de7a58b5667191089f7502bcc2299e499aa6a248cd",
"path": "postinstall.js",
"tlsh": "e17145c920f2526003eb73d4594f7476f235e2437814d9547e9e53801fc292897e6bab"
},
{
"sha256": "c61d2ed9b6bf687c2bb867d79bccb596b7b591bf2a8fc29f6629131c88b5160f",
"path": "package.json",
"tlsh": "46f08410cd101f33a9c8ae2b183a414ae4700c078918bc2837f750ac0b8f17b98bf67e"
}
],
"domains": [
"scary-blooper-brewery.ngrok-free.dev"
]
}
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/edu-npm-postinstall-demo2/MAL-2026-5624.json"
[
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
}
]