npm

antsrcsrctest @1.0.0

Vulnerability report · Last retrieved from osv.dev July 9, 2026 at 6:28 PM UTC

Malicious

OSV ID

MAL-2026-10038

Ecosystem

npm

Summary

On npm install , the declared preinstall script (preinstall.js) POSTs the installer's full process.env , os.hostname() , os.platform() , cwd, container-detection artifacts ( /.dockerenv , /proc/1/cgroup , /proc/self/mountinfo ), and the output of shell reconnaissance commands ( id , whoami , hostname , ps aux ) to http://101.35.44.248 over plain HTTP. The script additionally issues curl requests to the Alibaba Cloud instance metadata service at 100.100.100.200 , including the latest/meta-data/ram/security-credentials/ path that returns temporary IAM credentials for the instance role, and forwards the response to the same attacker endpoint. The package advertises itself as "a simple date formatting utility" and index.js contains only a 7-line date formatter, confirming a decoy cover story for install-time credential theft and environment exfiltration.

Source: amazon-inspector (80da6b239fe02ae1bbf7086d885062181d9ea048490ad77911a63ae4c393cc42)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.