registry  /  @sectest429/hello-npm-world  /  1.0.3

@sectest429/hello-npm-world@1.0.3

My first npm package

OSV Malicious Advisory

scanned 3h ago · by OpenSSF/OSV

OpenSSF/OSV advisory MAL-2026-10478 confirms this npm version as malicious. The package advertises a single function `module.exports = function hello(name)` but ships a `preinstall.js` lifecycle script that runs automatically on `npm install` and performs reconnaissance unrelated to the advertised functionality...

Advisory
MAL-2026-10478
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in @sectest429/hello-npm-world (npm)
Details
The package advertises a single function `module.exports = function hello(name)` but ships a `preinstall.js` lifecycle script that runs automatically on `npm install` and performs reconnaissance unrelated to the advertised functionality. The script collects OS username, hostname, platform/arch, and the full running process list (`ps -eo comm=` on POSIX, `tasklist /fo csv /nh` on Windows), and issues an HTTP PUT to the AWS EC2 link-local IMDSv2 token endpoint at `169.254.169.254/latest/api/token` followed by a fetch of `/latest/meta-data/instance-id`. Results are written to `./exfil.log` in the installer's working directory. The file's own header comment self-describes as a 'SECURITY DEMO payload' proving that a trojanized package gets code execution at install time. Even though the current version writes locally rather than transmitting, the recon chain (process enumeration + cloud-instance fingerprinting) has no relationship to a hello-world library, runs without consent on every install, and pollutes the consumer's CWD with an artifact.
Decision reason
OpenSSF Malicious Packages via OSV confirms @sectest429/hello-npm-world@1.0.3 as malicious (MAL-2026-10478): Malicious code in @sectest429/hello-npm-world (npm)

Source & flagged code

0 flagged
No flagged code excerpts are attached to this scan.

Findings

1 High
HighOsv Malicious Advisory