@emcd-vue/loans @7.2.0
Vulnerability report · Last retrieved from osv.dev July 9, 2026 at 6:28 PM UTC
OSV ID
MAL-2026-5165
Ecosystem
npm
Summary
On npm install , the declared postinstall script scripts/postinstall.js executes a heavily obfuscated (obfuscator.io-style) bundle that collects host identifiers (hostname, username, homedir), the full process.env (with Windows-specific keys such as USERDOMAIN, COMPUTERNAME, APPDATA, LOCALAPPDATA, TEMP, PROGRAMDATA), the tail of shell history, and the contents of a hardcoded list of files under the user's home directory that the package itself never created. The collected object is transmitted to a remote endpoint over HTTP(S) and additionally over a covert DNS channel: the payload is base32-encoded into subdomain labels and issued as dns.Resolver().resolveTxt(...) queries in chunks, bypassing HTTP egress filters. Endpoint hostnames, header names, and API strings are reconstructed at runtime via a shuffled string array with RC4/XOR decoders. Before exfiltrating, the script checks process.argv and NODE_OPTIONS for debugger indicators and performs a timing check to detect sandboxes, skipping the exfil if analysis instrumentation is detected. The package also exhibits dependency-confusion shape: metadata references an internal-looking scope and registry ( @emcd-vue , npm.emcd-vue.io , github.emcd-vue.io ) while being published to the public npm registry, and dist/index.js re-exports a ../src/index.js that is absent from the tarball, so the package has no functional library surface — the postinstall is its only executable code.
Source: amazon-inspector (7b5f346a554fe9f5f7cfc733c36d4c92c373aea12e245ef70e1031f41ff76f05)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.