npm

backup2-asd @2.0.0

Vulnerability report · Last retrieved from osv.dev July 14, 2026 at 5:45 AM UTC

Malicious

OSV ID

MAL-2026-10286

Ecosystem

npm

Summary

The tarball published as backup2-asd@2.0.0 is a Vite-built browser application (branded 'Lucide') rather than a Node library. package.json declares main as index.html and defines no lifecycle scripts (no preinstall/install/postinstall/prepare), so npm install and require() do not execute any code in the installer's Node process. The bundled assets include heavily obfuscated JavaScript (AccountPage, DarkVeil, GamesPage, PlusBlockedNote, SettingsPage) and third-party components (Scramjet in-browser HTTP proxy via service worker, libcurl.js, LiveKit, fingerprinting, chat/games/AI pages); index.html loads an external script from c.vipersfutbol.com and Google Tag Manager. The package name and description ('Republished package') do not match the shipped browser-app contents. Behavior affects end-users who visit a site built from these assets, not the developer who installs the tarball.

Source: amazon-inspector (a6fe96add7d70ce5933988f1c78b934187e279d88618bd3f211de3d719177168)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.