OSV ID
MAL-2026-3752
Ecosystem
npm
Summary
The package ships cdp_inject.js, which combines child_process, fs, http/https, and base64 encoding to gather system information and exfiltrate it over the network. The file imports http, https, fs, and child_process at the top, reads process.env.USER and other environment data, executes shell utilities (including ping for host reconnaissance), reads files via fs.readFileSync, base64-encodes the collected content (toString('base64') at L205 and L209), and posts it out via https.request/http.get with a hardcoded hostname and POST body. This is the canonical sysinfo+filesystem credential-stealer shape: the package's only on-load effect is to harvest installer-side data and ship it to a network destination. The package name ("cdp-core") and absence of any legitimate library functionality consistent with this code further indicate the file's purpose is exfiltration rather than a documented feature.
Source: amazon-inspector (dbf55b093e3a93e8d3f536101e62e09cf7e86636cd42813d02f518138cbcb8ed)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.