npm

server-parket @4.0.1

Vulnerability report · Last retrieved from osv.dev July 10, 2026 at 1:30 AM UTC

Malicious

OSV ID

MAL-2026-6335

Ecosystem

npm

Summary

package.json declares postinstall: node test.js , but test.js is not present in the tarball — installation fails with MODULE_NOT_FOUND and no code executes against the installer. The shipped index.js is a one-line stub containing a broken console(...) call (no real functionality). Despite the placeholder content, the package declares axios, form-data, child_process, and os as dependencies — building blocks commonly used for exfiltration scripts — and ships with empty author/description metadata and a 'trial version' message. The current published version causes no installer harm because the referenced payload script is missing, but the shape (stub package + suspicious dep set + lifecycle hook pointing at an unshipped script) is consistent with a placeholder release that could be weaponized in a follow-up version. Routing for human review of maintainer identity and registry context.

Source: amazon-inspector (5a06d1b04d930608a5d15999711be4158b61d96a0f9c0c63353b3b25cd302c86)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.