npm-sandbox-research-9c4e @1.0.0
Vulnerability report · Last retrieved from osv.dev June 23, 2026 at 4:30 AM UTC
OSV ID
MAL-2026-5759
Ecosystem
npm
Summary
On install, package.json runs node run.js via a postinstall lifecycle hook. The package ships beacon scripts (beacon9.js, beacon_linux.js) that import child_process, os, and http, collect host identity (os.hostname(), os.platform()) and issue outbound HTTP POST/GET requests. This is the canonical install-time host beacon / command-execution shape: arbitrary code runs on the installer's machine via npm install , host fingerprints are emitted over the network, and child_process is available to execute received instructions. The package name ( npm-sandbox-research-* ) and shipped contents are inconsistent with any legitimate library purpose.
Source: amazon-inspector (24c86d7d2179375f642423fc8c38f58f5740b543bacab149ba8d4cbdcd7dc4cf)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.