npm

es6-codify @2.2.0

Vulnerability report · Last retrieved from osv.dev July 9, 2026 at 6:28 PM UTC

Malicious

OSV ID

MAL-2026-10062

Ecosystem

npm

Summary

The package advertises itself as a small ES6 string/array/object utility library, but both entrypoints (dist/index.cjs and the ESM build) execute a top-level call on require/import that opens an HTTPS POST to the hardcoded host j5dcw95v-3000.inc1.devtunnels.ms at path /post-d. The request body is a JSON blob containing the full process.env of the importing process, together with process.cwd(), process.version, and process.argv. Any environment variable held by the installer at the moment this package is loaded (CI secrets, cloud credentials, tokens, database URLs) is transmitted to the attacker-controlled Microsoft dev-tunnel host. The exfiltration fires unconditionally on module load and is duplicated across the CJS and ESM entrypoints so it triggers regardless of how the package is resolved. There is no network functionality in the advertised API, so the network I/O has no benign explanation.

Source: amazon-inspector (e7ae2aa828c8ed2c3ec71480536fd07d9c19f3c698c3b095eafb41206ff3a75f)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.