npm

ulid-xyz @3.2.4

Vulnerability report · Last retrieved from osv.dev July 9, 2026 at 1:25 AM UTC

Malicious

OSV ID

MAL-2026-6672

Ecosystem

npm

Summary

Package publishes as 'ulid-xyz' — a name edit away from the established 'ulidx' / 'ulid' libraries — and its README instructs users to npm install index-ulid and import { ulid } from "index-ulid" , pointing at a second confusable name maintained by the same author. The declared homepage links to the canonical ulid repository (github.com/ulid/javascript), reinforcing the impersonation. package.json declares scripts.postinstall that runs node dist/node/utils.js after a required-files guard, but dist/node/utils.js is absent from this tarball — only dist/node/index.cjs and dist/node/index.js ship. As published, the guard throws and the postinstall is inert, so no malicious code executes on install in this version. The wired-but-missing lifecycle target combined with the confusable name and a bloated runtime dependency list (pino, ws, zod, esbuild, tsup, ts-node, typescript, @types/node, @types/ws, and a meta postinstall package — none required for ULID generation, where the legitimate ulidx ships zero runtime deps) is consistent with a dormant-dropper staging pattern: ship a benign tarball under a confusable name, then publish a future version that fills in the postinstall target. No exfiltration, no install-time RCE, and no silent-relay are present in the current code, so a public block would overclaim the present-version harm. Routing to human review for confusion-risk assessment and so a reviewer can monitor future versions of this name.

Source: amazon-inspector (23041702700830f3caa094b14bf923ac78f81d6d0cef96ec784e948dbe4fc705)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.