npm

backupgenuine-updated @2.0.0

Vulnerability report · Last retrieved from osv.dev July 14, 2026 at 5:45 AM UTC

Malicious

OSV ID

MAL-2026-10290

Ecosystem

npm

Summary

Package published as backupgenuine-updated@2.0.0 with description "Republished package" actually contains a Vite-built single-page application titled "Lucide" that implements a Scramjet in-browser web proxy (JS/WASM assets under bfjdx/ and ct1tl/ , service worker, boot module). package.json declares no lifecycle scripts (no preinstall/install/postinstall/prepare) and main points to index.html , so npm install and require() do not execute any of the shipped code on the installing machine. The shipped index.html injects a third-party script from https://c.vipersfutbol.com/script.js and the boot module hardcodes wss://21baseballacademy.com/fairs/ as the proxy transport; both only run in a browser that serves and loads the built SPA, not on the developer installing the tarball. Several bundled route chunks (AccountPage, DarkVeil, GamesPage, PlusBlockedNote, SettingsPage) are heavily obfuscated with hex-identifier naming, which is a transparency concern for the browser-side application but does not create an install-time or import-time code path on the installer.

Source: amazon-inspector (163e55285112106141566338db7483490b20567a431458b4b921a71534135ce0)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.