npm

my-empty-package @1.0.0

Vulnerability report · Last retrieved from osv.dev July 14, 2026 at 7:46 AM UTC

Malicious

OSV ID

MAL-2026-10535

Ecosystem

npm

Summary

package.json declares postinstall: node index.js . On npm install , index.js branches on os.platform() and executes platform-specific shell commands: osascript on macOS, powershell -WindowStyle Hidden -EncodedCommand <base64-UTF16LE> on Windows, and python3 -c 'os.system(...)' on Linux. After the payload runs, a cleanup step renames a shipped package.md over package.json and unlinks index.js itself, removing the install-time script from disk and presenting a different manifest to any post-install inspection. The hidden-window base64-encoded PowerShell invocation is a standard malware evasion technique. Manifest swap + entrypoint self-deletion is anti-forensic behavior with no legitimate purpose. Even though the current payload body is a benign demonstration (opens the calculator), the delivery framework is a fully-functional install-time RCE dropper skeleton: any content placed in the platform branches would execute automatically on install with the user's privileges and then erase its own traces.

Source: amazon-inspector (914ffc98ce1f6553e4f9655208318800d0d22663842eb4c9a3d0d51d4f143bdd)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.