@emcd-vue/loans @7.1.8
Vulnerability report · Last retrieved from osv.dev June 23, 2026 at 4:30 AM UTC
OSV ID
MAL-2026-5165
Ecosystem
npm
Summary
The package ships a heavily obfuscated postinstall script (scripts/postinstall.js) that executes automatically on npm install . The file uses hex-mangled identifier names (_0x2556a0, _0x3929dc, _0x2f9082, etc.) consistent with string-array obfuscators commonly used to hide network exfiltration, credential harvesting, or remote payload execution. Obfuscation in a lifecycle hook is not a legitimate engineering practice — install-time scripts in legitimate packages are readable shell or plain JS. The package name (@emcd-vue/loans) advertises a Vue.js loans component, which has no plausible reason to require obfuscated postinstall logic. Installing this package will run the obfuscated code automatically with the privileges of the developer or build system performing npm install .
Source: amazon-inspector (febfe36bf4efb63283bdcac20e625459b8f63358c2e32921a747f29bb2d65917)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.