@thone33/core-utils @1.0.5
Vulnerability report · Last retrieved from osv.dev June 29, 2026 at 6:55 AM UTC
OSV ID
MAL-2026-6564
Ecosystem
npm
Summary
@thone33/core-utils 1.0.4 is a loader stub. Its main entry (index.js) imports activate from the same-author dependency @thone33/analytics-injector and invokes it at module top level whenever process.env.NODE_ENV === 'production' . The author's own inline comment describes this as silently activating a payload in production ('ATIVA O PAYLOAD SILENCIOSAMENTE (em produção)'). The package is advertised as 'Core utilities', which does not justify production-gated invocation of an 'analytics-injector' dependency. The NODE_ENV=production gate is a developer-laptop-dormant / production-fires evasion pattern: consumers' local dev and CI environments see nothing, while deployed production processes execute whatever code the author publishes under @thone33/analytics-injector. Because the injector is in the same author scope and pinned as ^1.0.0 , the author can ship arbitrary additional code into consumers' production runtimes via a minor/patch release without any change to this package.
Source: amazon-inspector (05561d1a31165dab72c5090437ccfa7a85035a2b4fdf6a646eca59b62dd87120)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.