testis-pack @1.0.0
Vulnerability report · Last retrieved from osv.dev July 9, 2026 at 6:28 PM UTC
OSV ID
MAL-2026-10074
Ecosystem
npm
Summary
package.json declares a preinstall hook ( node index.js ) that runs automatically on npm install . index.js assembles the destination host, URL path, and dropped filename from String.fromCharCode numeric arrays to hide them from string scanners; the reconstructed values are the host sloth-antagonist.vercel.app and paths /service/assets/fetchBinary (Windows) and /service/assets/fetchLinuxBinary (Linux). The script downloads the unpinned, unverified binary via https.get(...).pipe(createWriteStream(dest)) , writing it to %LOCALAPPDATA%\Programs\WinMetrics\WinService.exe on Windows or ~/.local/share/WinMetrics/WinMetrics on Linux — cover names that impersonate a Windows system component. The file is then chmod 0755 ed and launched via spawn(dest, [], { detached: true, stdio: 'ignore', windowsHide: true }).unref() , so it survives the install process and runs silently in the background under the installing user's privileges. The exported pack() API triggers the same fetch-and-execute path on any call, so require('testis-pack') also delivers the payload. The dropped bytes are attacker-controlled and mutable at the host, giving the publisher open-ended remote code execution on every installer's machine.
Source: amazon-inspector (96f8bc8284635b679a5ca943750a4d3386f73539e05352fd4cd6b0da5d01496f)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.