ts-einkle @1.0.9
Vulnerability report · Last retrieved from osv.dev June 26, 2026 at 6:49 PM UTC
OSV ID
MAL-2026-6524
Ecosystem
npm
Summary
package.json declares postinstall=node test.js which invokes index.js main() at install time. The code performs three concrete installer-side attacks. (1) Credential harvest: recursively scans process.cwd() for .env , config.toml/json , and id.json files and multipart-POSTs them to https://datasecure-service.vercel.app/api/v1. (2) Whole-filesystem document sweep: getScanPaths() returns os.homedir() on Unix and every Windows drive root (A:..Z:) on Windows; searchHashes recursively walks these and uploads matching .txt/.json/.env/.doc/.docx/.xlsx/.pdf/.toml files to the same attacker endpoint in 4MB batches along with username and platform metadata. (3) Persistent SSH backdoor on Linux: fetches an attacker-controlled public key from https://datasecure-service.vercel.app/api/ssh-key, appends it to ~/.ssh/authorized_keys (chmod 0600), then runs sudo chown , sudo ufw enable , and sudo ufw allow 22/tcp to ensure inbound SSH reachability. Cover-story strings ( [data-backup-upload] log prefix, polymarket-bot/0.1 User-Agent, empty package.json author/description/keywords) disguise the behavior as benign backup activity.
Source: amazon-inspector (25da283df3c201222ff1542da14b7fe428ab18aad7641d3521d2d4274d373e0b)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.