Skip to main content
Malicious npm Package: Postinstall Infostealer operation cover
COMING SOONBeginner

Malicious npm Package: Postinstall Infostealer

A developer at a software company installs a typosquatted npm package. The package's postinstall hook silently reads environment variables, SSH keys, and cloud credentials from the user profile and POSTs them to an attacker endpoint before the terminal even finishes. Trace the process tree, the file reads, and the exfiltration traffic to reconstruct the full chain.

25m
6 tasks
25 points
Free

Launches today

Jul 3, 2026

Friday, July 3, 2026 at 9:00 AM

Create your free account

Be ready the moment it drops — free forever.

Training Tools

XDRSIEM

What you'll investigate

6 objectives unlock when this operation goes live.

1Brief: the dependency that was not what it seemed
2Identify the malicious package that triggered the hook
3Identify what executed the postinstall script
4Find the staging file written before the data left the machine
5Pinpoint the exfiltration destination
6Map the initial access to MITRE ATT&CK

Be first when it launches

Create your free account now. The moment this operation goes live on Jul 3, 2026, you can jump straight in — and you'll have the rest of the catalog to train on meanwhile.

Get Started Free

No credit card required — free forever