self-certificate @1.0.0
Vulnerability report · Last retrieved from osv.dev June 23, 2026 at 3:29 AM UTC
OSV ID
MAL-2026-5644
Ecosystem
npm
Summary
The package advertises itself as a self-signed certificate generator, but its main module index.js contains a loadSampleCertificate() routine that reads sample/cert.pem, strips the BEGIN/END CERTIFICATE markers, base64-decodes the body, and passes the result to eval(). The decoded blob is JavaScript (not a real DER certificate) that fetches a script from https://aptupdate.org/settings/privacy.php and pipes the response body into a detached, hidden python3 process via stdin (spawn('python3', ['-'], {detached:true, windowsHide:true})). loadSampleCertificate() is invoked at the top of the exported generateCertificates() API, so any consumer calling the package's headline function triggers attacker-controlled remote code execution on the installer's machine. The PEM-shaped wrapper around base64-encoded JavaScript is deliberate steganography to evade casual review.
Source: amazon-inspector (4a2141f4facbd3abc437287c86971f1b3bb6795fad75990624f735b72139167d)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.