@arbocollab/arbo-web-people @0.26.3-alpha.15
Vulnerability report · Last retrieved from osv.dev June 23, 2026 at 3:29 AM UTC
OSV ID
MAL-2026-4362
Ecosystem
npm
Summary
The published tarball ships npmjs.npmrc containing a live npm_ -prefixed authToken for registry.npmjs.org scoped to @arbocollab . package.json declares "files": ["*"] and .npmignore does not exclude npmjs.npmrc , so every installer receives the credential. The package.json publish:lib script references this same file via --userconfig=npmjs.npmrc , confirming it is the maintainer's real publish credential rather than a stub. Any installer or anyone who downloads the tarball can use this token to publish arbitrary malicious versions under the @arbocollab scope, pivoting into a supply-chain attack against all downstream consumers of any package in that scope. No install-time hooks are present; the harm is the credential redistribution itself. Remediation: revoke the token immediately, unpublish/deprecate affected versions, remove npmjs.npmrc from the published tarball, and add it to .npmignore / files allowlist.
Source: amazon-inspector (3f007c3da95aa64e4c2ed5b51b736900ddc444499f2f678d749603fab516a0c3)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.