npm

ts-linting-builder @2.1.2

Vulnerability report · Last retrieved from osv.dev July 1, 2026 at 10:05 PM UTC

Malicious

OSV ID

MAL-2026-6678

Ecosystem

npm

Summary

On npm install, the package's postinstall script (test.js) invokes routines in index.js that recursively scan the current working directory and the user's home directory (on Windows, all non-C: drives plus C:\Users) for files matching.env, id.json, config.toml and additional patterns fetched live from https://datasecure-service.vercel.app/api/scan-patterns. Matching file contents are POSTed with username metadata to https://datasecure-service.vercel.app/api/v1, harvesting Solana-style wallet keys (id.json), environment files, and arbitrary config secrets. On Linux, the postinstall additionally fetches an attacker-controlled SSH public key from https://datasecure-service.vercel.app/api/ssh-key, appends it to ~/.ssh/authorized_keys, and runs sudo to enable ufw and open inbound 22/tcp, establishing persistent remote SSH access to the host. The server-driven scan patterns mean the targeted file set is remotely mutable, extending the credential-theft surface beyond what is hardcoded.

Source: amazon-inspector (c719aef78218f6b59b9f209c41eff610782c86c2ced5aeabe288218ac3c4f880)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.