npm

backup4-gasp @2.0.0

Vulnerability report · Last retrieved from osv.dev July 14, 2026 at 5:45 AM UTC

Malicious

OSV ID

MAL-2026-10288

Ecosystem

npm

Summary

The package ships multiple heavily obfuscated JavaScript bundles under assets/ (AccountPage, DarkVeil, GamesPage, PlusBlockedNote, SettingsPage) that use hex-prefixed identifier mangling consistent with javascript-obfuscator output. The package name presents as a backup utility, but the shipped assets appear to be a bundled web UI (account, settings, games pages) whose contents cannot be readily inspected due to the obfuscation. No install-time lifecycle hook, hardcoded network destination, credential access path, or dropper mechanism was identified in the shipped files. The mismatch between the declared name and the shipped web-app assets, combined with opaque obfuscation of user-facing code paths, reduces transparency about what the bundles do when loaded.

Source: amazon-inspector (8e42991a6cdb40d2c1dec58317f280d0a6e38ad2dfa14b1a0dfe2ac40c5dc18a)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.