npm

fetchcraft @1.0.1

Vulnerability report · Last retrieved from osv.dev July 14, 2026 at 5:45 AM UTC

Malicious

OSV ID

MAL-2026-10435

Ecosystem

npm

Summary

package.json declares the runtime dependency node-runtime-utils as https://github.com/Hexa-devy/node-runtime-utils/archive/refs/heads/main.tar.gz — a tarball fetched from the mutable main branch of a personal GitHub user's repository, with no commit SHA, tag, or integrity hash pinning. On npm install fetchcraft , npm downloads and installs whatever bytes that URL serves at install time, including any lifecycle scripts (preinstall/install/postinstall/prepare) shipped in the fetched tarball. Because the source is a mutable branch under a personal account rather than a registry-published package or a pinned commit, the contents can be swapped at any time without any change to fetchcraft itself, allowing arbitrary code to be executed on the installer's machine. The dependency is not referenced by the package's exported code, giving it no legitimate functional purpose.

Source: amazon-inspector (c1a40f1af8ba957a18b37ddba0dbe5634112f489841b22208eff421f9a09f786)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.