my-empty-package @1.0.0
Vulnerability report · Last retrieved from osv.dev July 14, 2026 at 7:46 AM UTC
OSV ID
MAL-2026-10535
Ecosystem
npm
Summary
package.json declares postinstall: node index.js . On npm install , index.js branches on os.platform() and executes platform-specific shell commands: osascript on macOS, powershell -WindowStyle Hidden -EncodedCommand <base64-UTF16LE> on Windows, and python3 -c 'os.system(...)' on Linux. After the payload runs, a cleanup step renames a shipped package.md over package.json and unlinks index.js itself, removing the install-time script from disk and presenting a different manifest to any post-install inspection. The hidden-window base64-encoded PowerShell invocation is a standard malware evasion technique. Manifest swap + entrypoint self-deletion is anti-forensic behavior with no legitimate purpose. Even though the current payload body is a benign demonstration (opens the calculator), the delivery framework is a fully-functional install-time RCE dropper skeleton: any content placed in the platform branches would execute automatically on install with the user's privileges and then erase its own traces.
Source: amazon-inspector (914ffc98ce1f6553e4f9655208318800d0d22663842eb4c9a3d0d51d4f143bdd)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.