decimal-format-core @3.5.5
Vulnerability report · Last retrieved from osv.dev July 14, 2026 at 5:45 AM UTC
OSV ID
MAL-2026-6689
Ecosystem
npm
Summary
Package advertises itself as a numeric/text formatting utility but ships an install-time and import-time dropper. The postinstall script runs scripts/install-check.cjs , which reads package.json.homepage ( https://logstream-api.online/config/dfc-sync.json ) as a remote configuration channel, fetches a .tgz bundle URL from that JSON, downloads and extracts the tarball into a .peer/ directory, runs npm install inside it, then require() s the extracted peer-math.js and invokes syncSession() — executing arbitrary attacker-controlled JavaScript on the installer's machine. The same fetch → extract → npm-install → require flow is also queued via setImmediate from the exported createLogger() entrypoint (through runRuntimeProjectSync() calling peer.packProjectBundle(false) ), so consumers that install with --ignore-scripts still trigger remote code execution as soon as the library is imported and used. Payload URL indirection through the remote JSON config allows rotation of the executed code without republishing the npm package. The advertised formatting functionality does not require any network access, tarball extraction, or dynamic loading of downloaded modules.
Source: amazon-inspector (07d73eb9b3d87a4d1a65dcb4e485fca74b01a1473a305a52345a5c7be95b0631)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.