npm

forge-jsxy @1.0.121

Vulnerability report · Last retrieved from osv.dev July 8, 2026 at 10:24 PM UTC

Malicious

OSV ID

MAL-2026-3609

Ecosystem

npm

Summary

Package ships a postinstall script (scripts/postinstall-agent.mjs) and bundled runtime modules (dist/discordRelayUpload.js, dist/relayServer.js, dist/secretScan/agentStartupAudit.js, dist/hfCredentials.js, dist/deploymentDefaults.js) that include patterns commonly seen in both legitimate integrations and supply-chain attacks: base64-encoded blobs decoded via Buffer.from(..., 'base64'), HTTP POSTs, ping/network probes, and outbound fetches to huggingface.co. The naming and module shape (Discord relay upload, HuggingFace credentials, secret-scan agent startup audit, encode-deployment script, deployment defaults) is consistent with a legitimate developer-tool package that integrates with HuggingFace and Discord, but the combination of a postinstall agent script, base64-decoded deployment defaults, hardcoded credentials module, and a 'discordRelayUpload' path that performs POST requests warrants manual inspection. Without traced-code corroboration of the actual data flows (what is read from the installer's environment, where decoded blobs end up, whether postinstall-agent.mjs auto-fetches or executes remote content), the patterns alone do not establish installer-side harm versus a legitimate integration. Reviewer should specifically verify: (1) whether scripts/postinstall-agent.mjs reaches network destinations or executes fetched bytes at install, (2) what dist/deploymentDefaults.js's base64 blobs decode to and how they are used, (3) whether dist/discordRelayUpload.js POSTs caller-supplied data to a hardcoded Discord webhook (silent-relay shape) or only to user-configured destinations, (4) what dist/hfCredentials.js reads and where it sends it.

Source: amazon-inspector (0a0645a2d255ab04d1ce2754b77998d817d9066f86928a293eca787893e60bc3)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.