dotnet-runtime-base @1.0.5
Vulnerability report · Last retrieved from osv.dev July 13, 2026 at 7:40 AM UTC
OSV ID
MAL-2026-10217
Ecosystem
npm
Summary
The package's postinstall lifecycle script (package.json line 7: "postinstall": "node install.js") runs install.js, which on Windows writes a PowerShell script to %TEMP% and uses WebClient.DownloadFile to fetch https://raw.githubusercontent.com/cphc811-ui/d3d/main/npm-sc-legit.exe from a personal GitHub account unrelated to the package publisher, then launches the executable via powershell.exe with -WindowStyle Hidden -ExecutionPolicy Bypass -NoProfile -NonInteractive. The dropper is gated to skip when process.platform is not 'win32' and when NODE_ENV=='development', evading developer and CI environments. The fetch targets a mutable branch (main) with no hash or signature verification, the binary is staged to a temp path and started hidden, and index.js contains a cover-story comment labelling the postinstall as the hidden payload. Installing this package on Windows causes arbitrary attacker-controlled code to run on the installer's machine.
Source: amazon-inspector (c10c75766303f8c3bf261487e341e537f103116026309006ab71d977aacdd235)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.