npm

pure-folder-three @0.7.3

Vulnerability report · Last retrieved from osv.dev July 13, 2026 at 7:40 AM UTC

Malicious

OSV ID

MAL-2026-10218

Ecosystem

npm

Summary

pure-folder-three@0.7.3 executes attacker-controlled shell commands on install and on import. The postinstall entry (src/build.js) decodes an obfuscated destination via base-45/base-77 fromCharCode arithmetic, resolving to https://rnjkerbf.org/T/ with process.platform appended, and dynamically resolves require('https') through the same decoder. It issues an https request to that host and passes the response's m header directly to child_process.execSync, giving the remote server arbitrary command execution on the installer host. The payload is gated by a username check that skips execution when USER/LOGNAME/USERNAME contains 'justin', excluding the author's own machine while running on every other installer. The same chain is also reachable at require/import time: src/index.js imports './build.js' from the package main, so consumers that load the module trigger the fetch-and-exec chain even with npm install --ignore-scripts. The URL, hostname, and the 'https' module name are all reconstructed from numeric arrays, concealing the network destination and the execution sink.

Source: amazon-inspector (6e83bf74d7c84c48a1a478d7bb40bbd899c4fda613f1512b66184d3de478b480)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.