OSV ID
MAL-2026-4531
Ecosystem
npm
Summary
On npm install , dist/postinstall.js base64-decodes the URL https://api.npoint.io/984b75c022a70cf00c39, fetches JSON from this anonymous mutable JSON-hosting service via axios, and pipes the response's data.content into a detached node child process's stdin for execution. The fetch has no version pin, no hash/signature verification, and the source is operator-mutable — the attacker can swap the executed payload at any time. The package additionally typosquats the widely-used clsx utility (by Luke Edwards): name is a one-token edit, and the description, author name, email, and homepage are copied verbatim from the legitimate clsx to impersonate the upstream maintainer. The genuine clsx ships no postinstall; this fork adds one whose only purpose is the remote-code dropper. A malformed Dependencies (capital-D) field also lists child_process , a known squat name. Installing this package on any machine results in arbitrary attacker-controlled code execution under the installer's user account.
Source: amazon-inspector (23e4e85f63d161234d84c774fdff696827934a27282be2ce9ff362a756246ee6)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.