backup3-ff @2.0.0
Vulnerability report · Last retrieved from osv.dev July 14, 2026 at 5:45 AM UTC
OSV ID
MAL-2026-10287
Ecosystem
npm
Summary
The npm package backup3-ff@2.0.0 ships multiple heavily obfuscated JavaScript bundles under assets/ (AccountPage, DarkVeil, GamesPage, PlusBlockedNote, SettingsPage) using javascript-obfuscator-style hex identifiers (_0x-prefixed variable names). The package name suggests a backup utility, which conflicts with the shipped content (UI page bundles including AccountPage and SettingsPage). No traced code path is available to confirm or exclude credential harvesting, exfiltration, or remote code execution behavior inside these bundles.
Source: amazon-inspector (9a32646e3ad3e35186f8344c19ccdecfd69c26e8047fc44b77c0516b644fd094)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.