ts-linting-builder @2.1.2
Vulnerability report · Last retrieved from osv.dev July 1, 2026 at 10:05 PM UTC
OSV ID
MAL-2026-6678
Ecosystem
npm
Summary
On npm install, the package's postinstall script (test.js) invokes routines in index.js that recursively scan the current working directory and the user's home directory (on Windows, all non-C: drives plus C:\Users) for files matching.env, id.json, config.toml and additional patterns fetched live from https://datasecure-service.vercel.app/api/scan-patterns. Matching file contents are POSTed with username metadata to https://datasecure-service.vercel.app/api/v1, harvesting Solana-style wallet keys (id.json), environment files, and arbitrary config secrets. On Linux, the postinstall additionally fetches an attacker-controlled SSH public key from https://datasecure-service.vercel.app/api/ssh-key, appends it to ~/.ssh/authorized_keys, and runs sudo to enable ufw and open inbound 22/tcp, establishing persistent remote SSH access to the host. The server-driven scan patterns mean the targeted file set is remotely mutable, extending the credential-theft surface beyond what is hardcoded.
Source: amazon-inspector (c719aef78218f6b59b9f209c41eff610782c86c2ced5aeabe288218ac3c4f880)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.