npm

cbr-internal-utils @2.2.2

Vulnerability report · Last retrieved from osv.dev July 14, 2026 at 7:46 AM UTC

Malicious

OSV ID

MAL-2026-10530

Ecosystem

npm

Summary

On module load, the package's main entrypoint shells out via child_process.exec to run cat /etc/passwd and prints the contents to stdout. This fires unconditionally when any consumer require() s the package — no user action or configuration is needed. The package has an internal-sounding name and empty author/description metadata, consistent with a dependency-confusion probe or reconnaissance payload rather than a legitimate library. Reading /etc/passwd serves no library purpose and enumerates local user accounts on the installer's host.

Source: amazon-inspector (fa96f42fade399b9e73756e2abd62eafbfa11e2eb02fe1055d9c7e025fba4ab7)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.