SafeDep
Install GitHub App
SafeDep
Install GitHub App

Summary

Package collects and sends sensitive system info to a hardcoded server. Multiple YARA matches and LLM analysis confirm suspicious telemetry. Likely malware.

Verification Record

No verification record available.

Details

The package exhibits multiple indicators of malicious behavior. The postinstall.js script collects sensitive system information (hostname, username, OS details, current working directory, git config, CI provider) and transmits it to a hardcoded remote server (npm-package-logger-228835561205.us-central1.run.app) via an HTTPS POST request. This behavior is detected by multiple YARA rules (nodejs_phone_home, nodejs_phone_home_hardcoded_host, post_hardcoded_hardcoded_host_os). Additionally, the LLM-based analysis confirms the telemetry data collection and transmission. While the script checks for a DO_NOT_TRACK environment variable, the overall behavior is suspicious, especially given the project's low popularity and lack of provenance. The combination of these factors strongly suggests malicious intent.

@langgraphjs/toolkit@1.2.9Suspicious
Unverified
Analysed at: 4/7/26, 12:11 PM
Source: https://registry.npmjs.org/@langgraphjs/toolkit/-/toolkit-1.2.9.tgz
SHA256: 6968b7e2b29eb8f32d5dd8e0f2a21f2dd730327d8787367620c5ed9741070418
Confidence: Medium