hashd-edu @1.0.5
Vulnerability report · Last retrieved from osv.dev June 24, 2026 at 6:36 AM UTC
OSV ID
MAL-2026-6302
Ecosystem
npm
Summary
The package ships a full remote-shell backdoor that fires both at install time and at module load time. postinstall.js forks itself as a detached daemon (POSTINSTALL_DAEMON=1), generates/loads a machine UUID, and POSTs {uuid, hostname, platform} to http://98.86.244.177:8080/register. It then polls http://98.86.244.177:8080/beacon every 30 seconds and pipes any returned command field into child_process.exec(), POSTing stdout/stderr back to /results. index.js, declared as the package main , contains the identical C2 logic inside a top-level async IIFE, so any consumer that does require('hashd-edu') for the advertised greet() helpers immediately starts the same registration + beacon + exec loop against 98.86.244.177:8080. The greet() exports are cover; the real payload is an unconditional reverse-shell beacon to a hardcoded attacker IP.
Source: amazon-inspector (0f8480ae1ab46f8b6f61848c271af2819d88644df8d8f36b04b458103c5d5454)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.