npm

npm-rce-poc @1.0.13

Vulnerability report · Last retrieved from osv.dev July 8, 2026 at 10:24 PM UTC

Malicious

OSV ID

MAL-2026-7019

Ecosystem

npm

Summary

Package declares a postinstall lifecycle script that, on npm install , fetches a script over plain HTTP from a hardcoded bare IP (http://115.190.124.243:8761/slt on Unix,.../swt on Windows) and immediately executes it — piping to sh on Unix and writing to C:\Users\Public\run.bat via certutil then invoking it on Windows. The package presents itself as date-fns-lite , a lookalike of the popular date-fns library, and ships a benign-looking date-formatting index.js as cover; the actual behavior is an install-time dropper that hands remote code execution to the operator of 115.190.124.243 against every installer. No pinning, no integrity check, no TLS.

Source: amazon-inspector (6365312ad1339c7d5539f594b9e472ea3f10401fa356fe49766de887368e87c9)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.