MAL-2026-6697: Malicious code in @sudoughnym/enviro-demo (npm)
The npm package @sudoughnym/enviro-demo version 99.99.99 contains malicious preinstall and postinstall scripts that automatically execute during installation. These scripts collect host identifiers and environment metadata, including hostname, current working directory, process ID, Node.js version, platform, user environment variables, and send this data as JSON to an attacker-controlled third-party webhook URL. The package is a dependency confusion proof-of-concept designed to outrank internal packages by using an inflated version number. Installing this package leaks sensitive environment information to an unauthorized external endpoint.
AI Analysis
Technical Summary
The @sudoughnym/enviro-demo npm package at version 99.99.99 includes lifecycle scripts (preinstall.js and postinstall.js) that run automatically on npm install. These scripts gather detailed host and environment information such as os.hostname(), process.cwd(), pid, node version, platform, process.env.USER, the first ten environment variable names, and the total count of environment variables. This collected data is then POSTed as JSON to a third-party webhook URL (https://webhook.site/f83b073c-a04a-4ac5-8930-507051bd22f7) that is not affiliated with the package publisher. The package is intended as a dependency confusion attack proof-of-concept, using a high semver (99.99.99) to supersede internal packages named 'enviro'. The impact is the leakage of host identity and environment variable layout, potentially exposing secret names, to an attacker-controlled endpoint on every installation.
Potential Impact
Any build or developer machine that installs @sudoughnym/[email protected] will have host identity and environment metadata exfiltrated to an attacker-controlled external webhook. This includes potentially sensitive environment variable names that could aid further attacks or reconnaissance. The data leakage occurs automatically on installation without user interaction beyond the install command. This compromises confidentiality of environment details and may facilitate subsequent targeted attacks.
Mitigation Recommendations
Avoid installing the @sudoughnym/enviro-demo package, especially version 99.99.99. Verify package names and versions carefully to prevent dependency confusion attacks. Since this is a malicious package published to the public npm registry, do not trust packages with suspiciously high version numbers intended to override internal packages. There is no official patch or fix; remediation involves removing the package and auditing systems for any data exfiltration. Consider using package allowlists or private registries to prevent resolution to malicious public packages.
MAL-2026-6697: Malicious code in @sudoughnym/enviro-demo (npm)
Description
The npm package @sudoughnym/enviro-demo version 99.99.99 contains malicious preinstall and postinstall scripts that automatically execute during installation. These scripts collect host identifiers and environment metadata, including hostname, current working directory, process ID, Node.js version, platform, user environment variables, and send this data as JSON to an attacker-controlled third-party webhook URL. The package is a dependency confusion proof-of-concept designed to outrank internal packages by using an inflated version number. Installing this package leaks sensitive environment information to an unauthorized external endpoint.
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The @sudoughnym/enviro-demo npm package at version 99.99.99 includes lifecycle scripts (preinstall.js and postinstall.js) that run automatically on npm install. These scripts gather detailed host and environment information such as os.hostname(), process.cwd(), pid, node version, platform, process.env.USER, the first ten environment variable names, and the total count of environment variables. This collected data is then POSTed as JSON to a third-party webhook URL (https://webhook.site/f83b073c-a04a-4ac5-8930-507051bd22f7) that is not affiliated with the package publisher. The package is intended as a dependency confusion attack proof-of-concept, using a high semver (99.99.99) to supersede internal packages named 'enviro'. The impact is the leakage of host identity and environment variable layout, potentially exposing secret names, to an attacker-controlled endpoint on every installation.
Potential Impact
Any build or developer machine that installs @sudoughnym/[email protected] will have host identity and environment metadata exfiltrated to an attacker-controlled external webhook. This includes potentially sensitive environment variable names that could aid further attacks or reconnaissance. The data leakage occurs automatically on installation without user interaction beyond the install command. This compromises confidentiality of environment details and may facilitate subsequent targeted attacks.
Mitigation Recommendations
Avoid installing the @sudoughnym/enviro-demo package, especially version 99.99.99. Verify package names and versions carefully to prevent dependency confusion attacks. Since this is a malicious package published to the public npm registry, do not trust packages with suspiciously high version numbers intended to override internal packages. There is no official patch or fix; remediation involves removing the package and auditing systems for any data exfiltration. Consider using package allowlists or private registries to prevent resolution to malicious public packages.
Technical Details
- Gcve Source
- db.gcve.eu
- Osv Id
- MAL-2026-6697
- Osv Schema Version
- 1.7.4
- Aliases
- []
- Ecosystems
- ["npm"]
- Database Specific Severity
- null
- Cvss Version
- null
Threat ID: 6a4452db27e9c797198e051d
Added to database: 06/30/2026, 23:35:55 UTC
Last enriched: 06/30/2026, 23:43:35 UTC
Last updated: 06/30/2026, 23:43:35 UTC
Views: 2
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.