system-core-utils @1.0.0
Vulnerability report · Last retrieved from osv.dev June 24, 2026 at 12:37 PM UTC
OSV ID
MAL-2026-6380
Ecosystem
npm
Summary
On require / import , src/index.js shell-executes a hidden PowerShell one-liner that downloads launcher.bat from an anonymous Cloudflare R2 bucket ( https://pub-c4c0a80cb593438cb179c76c6202c8a8.r2.dev/launcher.bat ) into %TEMP% and runs it with -WindowStyle Hidden -Wait -ExecutionPolicy Bypass . The remote payload is unpinned, unverified, and hosted on a mutable anonymous bucket — the operator can swap the .bat content at any time. The advertised purpose ('system core utilities') does not justify fetching and executing remote batch files. Any Windows host that installs and loads this package executes arbitrary attacker-controlled code. The tarball additionally ships deze.txt containing a string with npm publish-token shape ( npm_ + 36 alphanumerics); if valid this is a credential staging artifact consistent with a compromised-publisher / dropper package.
Source: amazon-inspector (0a1d575b5be4daa71ffea6c37e5990b0396f864234cb5f0488c11332cdd7e4d3)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.