MAL-2026-10634: Malicious code in estore-client (npm)
The estore-client npm package version 5.0.0 contains malicious code that executes a preinstall script during npm install. This script sends the installer's OS username, current working directory, and hostname to an anonymous external URL (webhook.site), which is not associated with the legitimate publisher. This behavior constitutes host reconnaissance and beaconing, indicative of a supply-chain reconnaissance stage.
AI Analysis
Technical Summary
The estore-client package version 5.0.0 includes a preinstall lifecycle script that automatically runs on npm install before any user code executes. This script uses wget to send sensitive environment information—specifically the OS username, current directory, and hostname—to an external anonymous request-collector service at webhook.site. The destination URL is unrelated to any legitimate publisher endpoint, indicating malicious intent. This activity is consistent with reconnaissance or beaconing in a supply-chain attack context. No CVSS score or known exploits in the wild are reported for this issue.
Potential Impact
The malicious preinstall script leaks sensitive environment information from the host machine to an attacker-controlled endpoint. This can facilitate further targeted attacks or reconnaissance by exposing user and system details. Although no direct code execution beyond the preinstall script is described, the information disclosure poses a privacy and security risk during package installation.
Mitigation Recommendations
No official patch or remediation is currently documented. Users should avoid installing estore-client version 5.0.0 and verify package integrity before installation. Monitor vendor advisories for updates or official fixes. Since this is a malicious package behavior, consider using trusted package sources and tools that detect malicious lifecycle scripts.
MAL-2026-10634: Malicious code in estore-client (npm)
Description
The estore-client npm package version 5.0.0 contains malicious code that executes a preinstall script during npm install. This script sends the installer's OS username, current working directory, and hostname to an anonymous external URL (webhook.site), which is not associated with the legitimate publisher. This behavior constitutes host reconnaissance and beaconing, indicative of a supply-chain reconnaissance stage.
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The estore-client package version 5.0.0 includes a preinstall lifecycle script that automatically runs on npm install before any user code executes. This script uses wget to send sensitive environment information—specifically the OS username, current directory, and hostname—to an external anonymous request-collector service at webhook.site. The destination URL is unrelated to any legitimate publisher endpoint, indicating malicious intent. This activity is consistent with reconnaissance or beaconing in a supply-chain attack context. No CVSS score or known exploits in the wild are reported for this issue.
Potential Impact
The malicious preinstall script leaks sensitive environment information from the host machine to an attacker-controlled endpoint. This can facilitate further targeted attacks or reconnaissance by exposing user and system details. Although no direct code execution beyond the preinstall script is described, the information disclosure poses a privacy and security risk during package installation.
Mitigation Recommendations
No official patch or remediation is currently documented. Users should avoid installing estore-client version 5.0.0 and verify package integrity before installation. Monitor vendor advisories for updates or official fixes. Since this is a malicious package behavior, consider using trusted package sources and tools that detect malicious lifecycle scripts.
Technical Details
- Gcve Source
- db.gcve.eu
- Osv Id
- MAL-2026-10634
- Osv Schema Version
- 1.7.4
- Aliases
- []
- Ecosystems
- ["npm"]
- Database Specific Severity
- null
- Cvss Version
- null
Threat ID: 6a577efb68715ace43b41e39
Added to database: 07/15/2026, 12:37:15 UTC
Last enriched: 07/15/2026, 13:00:07 UTC
Last updated: 07/16/2026, 03:35:59 UTC
Views: 10
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.