registry  /  npm-rce-safe-proof-yourname  /  1.0.0

npm-rce-safe-proof-yourname@1.0.0

OSV Malicious Advisory

scanned 2h ago · by OpenSSF/OSV

OpenSSF/OSV advisory MAL-2026-10159 confirms this npm version as malicious. On `npm install`, postinstall.js runs `whoami`, reads `os.hostname()`, `process.platform`, and `process.version`, and transmits them via HTTPS GET to a hardcoded remote endpoint at https://testnpm.byte.eyes.sh/npm-proof. This fires automatically as a lifecycle hook with no user consent...

Advisory
MAL-2026-10159
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in npm-rce-safe-proof-yourname (npm)
Details
On `npm install`, postinstall.js runs `whoami`, reads `os.hostname()`, `process.platform`, and `process.version`, and transmits them via HTTPS GET to a hardcoded remote endpoint at https://testnpm.byte.eyes.sh/npm-proof. This fires automatically as a lifecycle hook with no user consent. The package's declared purpose (`npm script for showing date strings`) and its self-labeling as a 'safe proof' do not match the observed behavior — the code is a functional install-time identity beacon transmitting the installer's username and hostname to an author-controlled destination. Beaconing installer identity to a hardcoded third-party host on install is credential/identity leakage regardless of the 'proof' framing.
Decision reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessNetwork
Supply chain
UrlStrings
ManifestNo manifest risk signals triggered.
scanned 2 file(s), 2.09 KB of source, external domains: testnpm.byte.eyes.sh

Source & flagged code

3 flagged · loading source
package.jsonView file
scripts.postinstall = node postinstall.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node postinstall.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
postinstall.jsView file
1const https = require("https"); L2: const os = require("os"); L3: const { execFile } = require("child_process"); L4: ... L16: return new Promise((resolve) => { L17: const command = process.platform === "win32" ? "whoami.exe" : "whoami"; L18: ... L25: }, L26: (err, stdout) => { L27: if (!err && stdout) { ... L31: try { L32: const user = os.userInfo().username;
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

postinstall.jsView on unpkg · L1

Findings

2 High3 Medium2 Low
HighInstall Time Lifecycle Scriptspackage.json
HighSandbox Evasion Gated Capabilitypostinstall.js
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
MediumStructural Risk Force Deep Review
LowScripts Present
LowUrl Strings