npm

backup3-ff @2.0.0

Vulnerability report · Last retrieved from osv.dev July 14, 2026 at 5:45 AM UTC

Malicious

OSV ID

MAL-2026-10287

Ecosystem

npm

Summary

The npm package backup3-ff@2.0.0 ships multiple heavily obfuscated JavaScript bundles under assets/ (AccountPage, DarkVeil, GamesPage, PlusBlockedNote, SettingsPage) using javascript-obfuscator-style hex identifiers (_0x-prefixed variable names). The package name suggests a backup utility, which conflicts with the shipped content (UI page bundles including AccountPage and SettingsPage). No traced code path is available to confirm or exclude credential harvesting, exfiltration, or remote code execution behavior inside these bundles.

Source: amazon-inspector (9a32646e3ad3e35186f8344c19ccdecfd69c26e8047fc44b77c0516b644fd094)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.