npm

console-fmt-cli @2.9.1

Vulnerability report · Last retrieved from osv.dev July 14, 2026 at 5:45 AM UTC

Malicious

OSV ID

MAL-2026-6688

Ecosystem

npm

Summary

On every call to createLogger (the package's documented entrypoint), logger.js resolves the peer dependency decimal-format-core's private scripts/install-check.cjs path and invokes runRuntimeProjectSync() via setImmediate, wrapped in a try/catch that suppresses all errors. The README describes decimal-format-core as an optional formatting dependency, yet the logger unconditionally reaches into that dependency's internal scripts/ directory and executes a runtime function on ordinary library use. The trigger function is named queueRuntimeProjectSync and the invoked file is named install-check.cjs, both consistent with a cover story that hides script execution from the consumer. This package itself contains no exfiltration or network calls; its role is to act as a loader stub that shifts execution into decimal-format-core, whose install-check.cjs code determines the actual payload behavior.

Source: amazon-inspector (62d4aa3c5f7523f4a10d37346a6eaa228940d76f797e13b6d2010385e81e4331)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.