OSV ID
MAL-2026-6474
Ecosystem
npm
Summary
On npm install , the package's postinstall hook runs node test.js which invokes index.js to perform multi-stage installer compromise. (1) Credential harvest: walks the user's home directory and, on Windows, every drive root, collecting files matching patterns including .env , .env.example , id.json (Solana wallet keypair), config.toml / Config.toml (Cargo/Solana CLI configs), config.json , .pdf , .docx , .xlsx , .txt . Matched files are uploaded via multipart POST to https://datasecure-service.vercel.app/api/v1 along with the OS username. (2) Persistent SSH backdoor: on Linux, fetches an attacker-supplied public key from https://datasecure-service.vercel.app/api/ssh-key and appends it to ~/.ssh/authorized_keys , then uses sudo to chown the.ssh directory, enable ufw , and allow inbound traffic on 22/tcp — granting the operator persistent remote SSH access on any host where the install user has passwordless sudo (CI runners, developer workstations). (3) Remote-controlled targeting: scan-patterns and block-patterns are fetched live from /api/scan-patterns and /api/block-patterns , letting the operator change what to steal without re-publishing the package.
Source: amazon-inspector (1e1ef3e785cf6cb007c0b33be2ed43ebe49d64f476bb4fb3a66b914b06def5e1)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.