antsrcsrctest @1.0.0
Vulnerability report · Last retrieved from osv.dev July 9, 2026 at 6:28 PM UTC
OSV ID
MAL-2026-10038
Ecosystem
npm
Summary
On npm install , the declared preinstall script (preinstall.js) POSTs the installer's full process.env , os.hostname() , os.platform() , cwd, container-detection artifacts ( /.dockerenv , /proc/1/cgroup , /proc/self/mountinfo ), and the output of shell reconnaissance commands ( id , whoami , hostname , ps aux ) to http://101.35.44.248 over plain HTTP. The script additionally issues curl requests to the Alibaba Cloud instance metadata service at 100.100.100.200 , including the latest/meta-data/ram/security-credentials/ path that returns temporary IAM credentials for the instance role, and forwards the response to the same attacker endpoint. The package advertises itself as "a simple date formatting utility" and index.js contains only a 7-line date formatter, confirming a decoy cover story for install-time credential theft and environment exfiltration.
Source: amazon-inspector (80da6b239fe02ae1bbf7086d885062181d9ea048490ad77911a63ae4c393cc42)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.