@torbeck/priority-queue @6.3.9
Vulnerability report · Last retrieved from osv.dev July 14, 2026 at 5:45 AM UTC
OSV ID
MAL-2026-10472
Ecosystem
npm
Summary
The package republishes @datastructures-js/priority-queue verbatim — identical README pointing to datastructures-js.info, the original author 'Eyas Ranjous', and the upstream repository URL git+https://github.com/datastructures-js/priority-queue.git — under an unrelated @torbeck scope. Its package.json (L33-34) declares "dependencies": { "@datastructures-js/heap": "npm:@torbeck/heap@4.3.8" }, using npm alias syntax to silently substitute the legitimate @datastructures-js/heap with a sibling package @torbeck/heap@4.3.8 published by the same untrusted maintainer. src/priorityQueue.js does require('@datastructures-js/heap'), so on every import the substituted @torbeck/heap is loaded in place of the upstream package. The installer-facing harm is the namespace-abuse mechanism itself: any consumer who installs @torbeck/priority-queue automatically pulls @torbeck/heap under a name that reads as the legitimate datastructures-js dependency, regardless of what the @torbeck/heap tarball currently contains. The actual payload, if any, lives in @torbeck/heap and must be analyzed in its own record.
Source: amazon-inspector (b3109ebd719fa91812bd69e50b418b78f2a04c5478924f6ff53054cb798dc937)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.