backup1-gg @2.0.0
Vulnerability report · Last retrieved from osv.dev July 14, 2026 at 5:45 AM UTC
OSV ID
MAL-2026-10285
Ecosystem
npm
Summary
The npm package backup1-gg@2.0.0 ships multiple heavily obfuscated JavaScript bundles under assets/ (AccountPage, DarkVeil, GamesPage, PlusBlockedNote, SettingsPage) using the hex-identifier pattern typical of javascript-obfuscator output. The package name suggests a backup utility but the shipped contents are front-end UI bundles (page/component chunks), which does not match the advertised purpose. No install-time lifecycle scripts, credential reads, network endpoints, or exfiltration paths were identified from the available evidence; the obfuscation itself is the only concrete signal, and obfuscation alone is not proof of malicious intent.
Source: amazon-inspector (eb035cd86ea0fd9311ad7b6f509a5f6ff9916838194db2a06eed0576d91bb655)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.