npm

security-node @1.1.4

Vulnerability report · Last retrieved from osv.dev July 10, 2026 at 1:30 AM UTC

Malicious

OSV ID

MAL-2026-10107

Ecosystem

npm

Summary

package.json declares the package's own name as both a dependency and devDependency pointing to http://pack.nppacks.com/npm/security-node, a non-npm-registry host served over plaintext HTTP. On npm install , npm fetches whatever tarball that URL currently serves and installs it as node_modules/security-node, replacing the registry-published contents with code delivered from a mutable third-party host over an unauthenticated channel. This bypasses registry-side scanning and version pinning; the operator of pack.nppacks.com (or any on-path MITM against the plain-HTTP fetch) controls the code that lands in the installer's node_modules on every install. The shipped index.js itself is a benign Babel DefinePlugin-style transform with a self-declared 'Security Research Testing Purpose' header comment, but the tarball substitution mechanism is the installer-harm surface, independent of the current in-tarball code.

Source: amazon-inspector (2450dc325921e41fd15c24339c29dc86bef36424dd6f8447c07cffd219f3955a)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.