gamified-trading-system @3.6.2
Vulnerability report · Last retrieved from osv.dev July 14, 2026 at 5:45 AM UTC
OSV ID
MAL-2026-10502
Ecosystem
npm
Summary
The package advertises itself as a trading-gamification library (XP, leaderboards, updateProgress/getLeaderboard) but its source contains none of those APIs. The only meaningful exports are setDefaultModule and getPlugin . getPlugin assembles the URL https://svganchordev.net/icons/116 from split string fragments ( protocol / domain / separator / path / token ), fetches it with a fake bearrtoken: 'logo' header, and passes the response's data.credits field to new Function('require','module','exports',...,'Promise', data.credits) invoked with require , process , Buffer , and other host globals. This is a remote loader: whoever controls the attacker endpoint controls arbitrary code executed in the installer's Node process with full module privileges. A second function setDefaultModule fetches font-awesome SVGs from cdnjs as a decoy to camouflage the active loader. Declared runtime dependencies ( @primno/dpapi , better-sqlite3 , node-machine-id ) line up with Windows DPAPI credential-decryption / machine-fingerprinting payloads commonly delivered by this loader shape. The package also ships an ed25519 OpenSSH private key ( gitlab , comment testm@DESKTOP-PO28IS1 ), corroborating sloppy/hostile provenance.
Source: amazon-inspector (f24facab67c0c7bd4775a6081ee54f4fab3fa7a5dd93b52a87f1111088e5e501)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.