cbr-internal-utils @2.2.2
Vulnerability report · Last retrieved from osv.dev July 14, 2026 at 7:46 AM UTC
OSV ID
MAL-2026-10530
Ecosystem
npm
Summary
On module load, the package's main entrypoint shells out via child_process.exec to run cat /etc/passwd and prints the contents to stdout. This fires unconditionally when any consumer require() s the package — no user action or configuration is needed. The package has an internal-sounding name and empty author/description metadata, consistent with a dependency-confusion probe or reconnaissance payload rather than a legitimate library. Reading /etc/passwd serves no library purpose and enumerates local user accounts on the installer's host.
Source: amazon-inspector (fa96f42fade399b9e73756e2abd62eafbfa11e2eb02fe1055d9c7e025fba4ab7)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.