npm
Malicious setup-cicd @0.0.1
Vulnerability report · Last retrieved from osv.dev July 8, 2026 at 7:23 PM UTC
OSV ID
MAL-2026-6686
Ecosystem
npm
Summary
Package setup-cicd@0.0.1 contains no observed behaviors matching supply-chain attack patterns. No lifecycle scripts, install-time network fetches, credential reads, exfiltration endpoints, or dropper indicators were found in the scanned files. The package appears minimal in scope with no concrete evidence of installer harm.
Source: amazon-inspector (3b9d7d7f16320d5296fb3acf5cc61ae1cf55125c89fde6b702acd406e1516f92)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.