pdf-lib-enhanced @2.2.0
Vulnerability report · Last retrieved from osv.dev July 8, 2026 at 10:24 PM UTC
OSV ID
MAL-2026-4799
Ecosystem
npm
Summary
Package name pdf-lib-enhanced mimics the widely-used pdf-lib library and ships a verbatim copy of upstream's README. package.json declares repository.url pointing at a fresh GitHub account ( harunosakura030303-maker/pdf-lib-enhanced ) while bugs.url still points at the original Hopding/pdf-lib project — a metadata mismatch consistent with a hastily-forked squat. The dist/ directory contains unrelated SheetJS assets ( xlsx.full.min.js , xlsx.zahl.js , cpexcel.js , etc.) that have no purpose in a PDF library. However, the CommonJS main entry ( cjs/index.js ) re-exports the upstream pdf-lib API without any credential reads, exfiltration, dropper, or silent-relay behavior, and package.json declares no preinstall / install / postinstall / prepare lifecycle scripts, so installing the package does not auto-execute any code. The dormant SheetJS bundles are not referenced from the main entry. Name-similarity to a top-tier package combined with an irrelevant payload bundle warrants human assessment of intent, but there is no concrete installer-harm mechanism observable in the shipped code.
Source: amazon-inspector (5f666f9074e4d180ff635e06498918c71189395e3f8fd56a177767145022d76f)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.