OSV ID
MAL-2026-6113
Ecosystem
npm
Summary
intquery@1.1.5 is published under the name 'intquery' by 'Stagnation Lab', but its README is a verbatim copy of the unrelated project ts-logger-pack (github.com/kallaspriit/ts-logger-pack) and its LICENSE attributes copyright to Priit Kallas. The README advertises 'A zero-dependency TypeScript logger interface', while package.json line 38 declares a runtime dependency on obfus-jsxy@^3.2.0 — a name with no relationship to logging and not mentioned anywhere in the README. The shipped dist/ contents are a trivial dummyLogger that does not use obfus-jsxy at runtime, so the dep serves no functional purpose for the advertised package. The structural pattern — identity-laundering (renamed clone, mismatched author/LICENSE/README), undeclared and purpose-mismatched runtime dep, trivial cover code — is the shape of a delivery vehicle that silently pulls obfus-jsxy onto any installer's machine via npm install intquery .
Source: amazon-inspector (cf4fe75f735c39be9ffe01686f69fd519c1408dd3473bb833506e1948fbc74a7)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.