vor8zakon @1.0.0
Vulnerability report · Last retrieved from osv.dev July 16, 2026 at 7:58 PM UTC
OSV ID
MAL-2026-10694
Ecosystem
npm
Summary
Package advertises itself as 'A simple cryptographic library for JavaScript applications' but ships no crypto code and exports nothing. package.json declares a postinstall hook ( node index.js ) that detects the host OS and runs platform-specific commands: on Windows it builds a UTF16LE+base64 PowerShell EncodedCommand and runs it via powershell -WindowStyle Hidden -EncodedCommand <blob> ; on macOS it invokes osascript ; on Linux it spawns python3 -c "import os; os.system('gnome-calculator &')" . After execution, a cleanUp() routine renames a sibling package.md over package.json (replacing the manifest with a decoy) and deletes index.js itself, leaving a victim auditing the installed package directory with an innocuous manifest and no payload file. The current GUI-calculator action is a placeholder, but the harness — purpose mismatch, hidden-window obfuscated PowerShell, multi-platform install-time exec, manifest swap, self-deletion, empty README, throwaway author — is a working install-time RCE delivery channel and an anti-forensic dropper pattern, not a crypto library.
Source: amazon-inspector (99924288481504c324c3f573ba7ba99ac4e1c7a7f22a940c94d81059b868fdfd)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.