npm

sodel-pych @1.0.122

Vulnerability report · Last retrieved from osv.dev July 10, 2026 at 1:30 AM UTC

Malicious

OSV ID

MAL-2026-6062

Ecosystem

npm

Summary

The package ships several files whose names and contents suggest a non-trivial install-time and runtime footprint: a postinstall script (scripts/postinstall-agent.mjs) that performs network I/O including a ping/GET against an identifier-bearing endpoint, a relay server (dist/relayServer.js) with multiple ping invocations, a Discord relay upload module (dist/discordRelayUpload.js) combining base64 decoding with POST calls, a Hugging Face credentials module (dist/hfCredentials.js) using base64-decoded values, and a secret-scan startup audit (dist/secretScan/agentStartupAudit.js) that fetches huggingface.co endpoints. The combination of a postinstall agent, a Discord upload path, base64-encoded data in deployment defaults, and credential/secret handling is consistent with either (a) a legitimate ML/agent tooling package that talks to Hugging Face and uses Discord for notifications, or (b) a credential-relay/exfiltration tool. The evidence available here is keyword-level pattern matches without traced execution paths, so intent cannot be determined from this data alone. A human reviewer should inspect scripts/postinstall-agent.mjs to confirm what runs on npm install , dist/discordRelayUpload.js to confirm whether installer-side data is shipped to Discord, and dist/hfCredentials.js to confirm whose credentials are read.

Source: amazon-inspector (c7d67bcaf42f4ef050a6b824dfbc2f711d6820f7b3b1140d211110f390e512fa)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.