@colibri-event-types/megamarket-ru-web @5.2.8
Vulnerability report · Last retrieved from osv.dev June 25, 2026 at 10:45 PM UTC
OSV ID
MAL-2026-6464
Ecosystem
npm
Summary
scripts/postinstall.js is registered as the npm postinstall lifecycle script and is heavily packed with obfuscator.io string-array rotation plus a self-defending/anti-debug IIFE. On install it calls os.platform() to select a per-OS URL (darwin/win32/linux), HTTPS-fetches an opaque binary, writes it to os.tmpdir(), and spawns it via process.execPath (the installer's Node) with detached:true and stdio:'ignore', then.unref()s the child so it survives npm exit. There is no hash, signature, or publisher verification on the fetched bytes. The package's stated purpose ("internal database utilities") is inconsistent with downloading and executing a remote native/JS payload. The scoped name @colibri-event-types/megamarket-ru-web and the fabricated colibri-event-types.io homepage/author/repo metadata are consistent with dependency-confusion bait targeting an internal namespace at a victim organization. Any developer workstation or CI runner that performs npm install of this package executes attacker-controlled code.
Source: amazon-inspector (c4780aaf3b99e11830e6a5eda56c287f9f8e93d375f1f59320ecc9849ebdf4fe)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.