sync-external @1.6.2
Vulnerability report · Last retrieved from osv.dev June 24, 2026 at 6:36 AM UTC
OSV ID
MAL-2026-6336
Ecosystem
npm
Summary
The package ships an obfuscated JavaScript file at shim/index.js using hex-style identifier mangling (_0x391f3f, _0x3eff0a, _0x534564, etc.) characteristic of javascript-obfuscator output. Obfuscation alone is not proof of malicious intent — some publishers obfuscate for anti-tampering or anti-piracy reasons — but it prevents reliable assessment of the file's runtime behavior, and contextual tracing of the obfuscated code path was not available. No concrete evidence of credential exfiltration, install-time fetch-and-execute, silent-relay of caller data, or hardcoded attacker C2 was observed, but the inability to verify what the obfuscated shim does at load/use time leaves the residual risk unresolved. Recommend human review of the de-obfuscated content before trusting this package in a build pipeline.
Source: amazon-inspector (dc297a0deaba794fdbfccc280a79c7cc895f21fc4e0122b1fba1bc4759b66c3f)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.