npm

trinity-scheme @20.0.0

Vulnerability report · Last retrieved from osv.dev July 14, 2026 at 5:45 AM UTC

Malicious

OSV ID

MAL-2026-10425

Ecosystem

npm

Summary

On npm install, the package's preinstall lifecycle reads a hex-encoded command string from preinstall.json, decodes it via Buffer.from(..., 'hex'), and passes the decoded shell command to child_process.exec. The decoded payload collects the installer's whoami , pwd , and hostname output and POSTs the values to the hardcoded endpoint https://eo7o7j442dx6yl6.m.pipedream.net/. The command is stored in hex form to evade plain-text scanning; the package otherwise provides no functionality consistent with its declared name.

Source: amazon-inspector (5d576c0487668f599137a479e17ddc1335935fdec631f7d5adfa9e73049d7652)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.