
COMING SOONBeginner
Malicious npm Package: Postinstall Infostealer
A developer at a software company installs a typosquatted npm package. The package's postinstall hook silently reads environment variables, SSH keys, and cloud credentials from the user profile and POSTs them to an attacker endpoint before the terminal even finishes. Trace the process tree, the file reads, and the exfiltration traffic to reconstruct the full chain.
25m
6 tasks
25 points
FreeLaunches today
Jul 3, 2026
Create your free accountFriday, July 3, 2026 at 9:00 AM
Be ready the moment it drops — free forever.
Training Tools
XDRSIEM
What you'll investigate
6 objectives unlock when this operation goes live.
1Brief: the dependency that was not what it seemed
2Identify the malicious package that triggered the hook
3Identify what executed the postinstall script
4Find the staging file written before the data left the machine
5Pinpoint the exfiltration destination
6Map the initial access to MITRE ATT&CK
Be first when it launches
Create your free account now. The moment this operation goes live on Jul 3, 2026, you can jump straight in — and you'll have the rest of the catalog to train on meanwhile.
Get Started FreeNo credit card required — free forever