@tqm-mfe/main @5.4.7
Vulnerability report · Last retrieved from osv.dev July 14, 2026 at 5:45 AM UTC
OSV ID
MAL-2026-10517
Ecosystem
npm
Summary
scripts/postinstall.js is a heavily obfuscated (obfuscator.io-style: 270+ entry rotated string array, RC4+base64 decoders, hex-encoded dispatchers) lifecycle script that runs automatically on npm install . On execution it (1) checks process.argv, process.env.NODE_OPTIONS, and process.execPath against decoded debug/inspector markers plus a wall-clock timing loop to skip the malicious branch under sandboxes and analyzers, then (2) performs an HTTPS fetch of a remote binary payload to a destination assembled at runtime from RC4/base64 fragments, (3) XOR-decrypts the response with a keyed buffer, (4) writes the decrypted files into a per-platform persistent app-data directory (Windows %APPDATA%/%LOCALAPPDATA%, macOS/Linux equivalents) via fs-extra copy/rename, (5) marks them executable, and (6) spawns them detached with stdio:'ignore' and windowsHide:true, unref'd from the installer process to survive after npm exits. In parallel, a beacon posts JSON containing the package name/version, an ISO timestamp, and a system object built from os.homedir(), os.type(), os.platform(), os.hostname(), and os.arch() to a runtime-decoded URL. The package's public metadata (author platform@tqm-mfe.io , repository github.tqm-mfe.io , homepage docs.tqm-mfe.io , README framing as an internal corporate mirror) does not correspond to a real public project and is consistent with a dependency-confusion lure targeting organizations that might resolve the @tqm-mfe scope from the public registry. All URLs, filenames, keys, and paths are decoded at runtime and none of this behavior is required by the advertised 'API mocking middleware' functionality.
Source: amazon-inspector (ba70610a96625984d6a26c5cfba828a98fad70a559f34eb881289f9ce4f625a1)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.