OSV ID
MAL-2026-4663
Ecosystem
npm
Summary
package.json declares "preinstall": "./bin/install-deps" , which causes npm install roidjs to auto-execute bin/install-deps — a 976,568-byte Linux x86_64 ELF whose embedded strings include LIBBPF_0.0 , PTRACE , NETLINK , RSA_PKCS1_ , Ed25519 , https:// , HTTP/1.1 , POST , and USERPROFILE . The package advertises itself as a tiny React+Recoil state helper (the actual JS in dist/cjs/index.js is ~1.7 KB of pure JavaScript) and has no documented native dependency that would justify shipping or running such a binary. The capabilities suggested by the binary's strings (eBPF, ptrace, NETLINK, outbound HTTPS POST, cross-platform user-profile path handling, asymmetric crypto) are inconsistent with a state-management library. The publisher provides no source for the binary, no build manifest, no checksum, and no integrity verification — the installer has no way to know what runs as their user when the lifecycle hook fires. The shape (opaque native dropper invoked from preinstall, purpose mismatch with package description, no provenance) matches the generic-binary-runner-dropper pattern.
Source: amazon-inspector (46b2c3afc1b9dd20ecad5f3b47c333e8324500e3d0102df362aa7c11a60469a0)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.