test_adminet @99.9.9
Vulnerability report · Last retrieved from osv.dev July 14, 2026 at 5:45 AM UTC
OSV ID
MAL-2026-10509
Ecosystem
npm
Summary
The package's package.json declares a preinstall hook that runs index.js. On npm install, index.js uses child_process.exec to curl-POST installer identifiers ($(whoami), $(hostname), id output) together with the contents of /etc/passwd, /etc/hosts, and /etc/shadow (base64-encoded and stuffed into the User-Agent header) to a hardcoded webhook.site endpoint. The /etc/shadow read attempts to harvest local password hashes; if the install runs as root (common in CI/Docker), hashes are transmitted off-host. Behavior fires automatically on default npm install with no user interaction.
Source: amazon-inspector (e1971734ce6221624b53d3647a5881c1fe0bc7f8ae4d383a5ff2a9f5080da57c)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.