npm

auto-debug-tool @1.0.3

Vulnerability report · Last retrieved from osv.dev July 12, 2026 at 11:38 PM UTC

Malicious

OSV ID

MAL-2026-10209

Ecosystem

npm

Summary

package.json declares a postinstall hook ( node install.js ) that fires automatically on npm install . On Windows, install.js invokes hidden PowerShell ( -NoP -NonI -W Hidden -Exec Bypass ) to download an executable from raw.githubusercontent.com/cphc811-ui/d3d/main/ on the mutable main branch of an unrelated personal GitHub account, then launches it detached with Start-Process -WindowStyle Hidden . No hash or signature verification is performed. Execution is gated to skip non-Windows platforms and to skip when NODE_ENV=development, and all errors are swallowed — concealment characteristics that keep the payload dormant on maintainer/dev machines while firing on Windows installers and CI. The fetched binary's publisher does not match the npm package publisher, the source is a mutable branch on a personal account, and the fetch is auto-executed at install time with no verification.

Source: amazon-inspector (8dd31c11b5149d8dd2142c81cc066576dc799ba4dae4599a9569cb56256417ec)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.