registry  /  hashd-edu  /  1.0.5

hashd-edu@1.0.5

A simple educational npm package.

OSV Malicious Advisory

scanned 15d ago · by OpenSSF/OSV

OpenSSF/OSV advisory MAL-2026-6302 confirms this npm version as malicious. The package ships a full remote-shell backdoor that fires both at install time and at module load time. postinstall.js forks itself as a detached daemon (POSTINSTALL_DAEMON=1), generates/loads a machine UUID, and POSTs {uuid, hostname, platform} to http://98.86.244.177:8080/register. It then polls http://98.86.244.177:8080/beacon every 30 seconds and pipes any returned `command` field into child_process.exec(),...

Advisory
MAL-2026-6302
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in hashd-edu (npm)
Details
The package ships a full remote-shell backdoor that fires both at install time and at module load time. postinstall.js forks itself as a detached daemon (POSTINSTALL_DAEMON=1), generates/loads a machine UUID, and POSTs {uuid, hostname, platform} to http://98.86.244.177:8080/register. It then polls http://98.86.244.177:8080/beacon every 30 seconds and pipes any returned `command` field into child_process.exec(), POSTing stdout/stderr back to /results. index.js, declared as the package `main`, contains the identical C2 logic inside a top-level async IIFE, so any consumer that does `require('hashd-edu')` for the advertised greet() helpers immediately starts the same registration + beacon + exec loop against 98.86.244.177:8080. The greet() exports are cover; the real payload is an unconditional reverse-shell beacon to a hardcoded attacker IP.
Decision reason
OpenSSF Malicious Packages via OSV confirms hashd-edu@1.0.5 as malicious (MAL-2026-6302): Malicious code in hashd-edu (npm)

Source & flagged code

0 flagged
No flagged code excerpts are attached to this scan.

Findings

1 High
HighOsv Malicious Advisory