OSV ID
MAL-2026-4703
Ecosystem
npm
Summary
On npm install , the package's postinstall hook ( install.js , registered via package.json line 10 "postinstall": "node install.js" ) downloads a platform-specific executable from https://laogou.us/download/veteran/v1.0.0/veteran_1.0.0_<platform>_<arch>.{tar.gz,zip} (install.js:13 const DOWNLOAD_BASE_URL = 'https://laogou.us/download/veteran' ), extracts it via shell tar / unzip , chmod 0o755 s it (install.js:165), and immediately executes it (install.js:170 execSync("${BIN_PATH}" version",...) ). The download host laogou.us does not match the package's declared publisher/homepage ( github.com/yongjie0203/veteran ); the URL is not version-pinned to a hash or signature; no checksum or signature verification is performed on the fetched bytes; and source comments suggest the URL is meant to be swapped by future maintainers. The operator of laogou.us can therefore serve arbitrary native code to every installer, with the bytes executed under the installer's user on npm install . This matches the publisher-mismatched, unverified, mutable-host dropper pattern.
Source: amazon-inspector (70a20dd9f8d6a9df01d766c25693711d90e4303e3c68fa371f0b842f83c485b4)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.