npm

vps-maintenance @0.1.0

Vulnerability report · Last retrieved from osv.dev July 4, 2026 at 4:11 PM UTC

Malicious

OSV ID

MAL-2026-6756

Ecosystem

npm

Summary

The package.json postinstall script executes a Node one-liner that opens a TCP connection to the hardcoded IP 185.112.147.174 on port 7007 and spawns /bin/sh with its stdio piped through the socket. Because npm auto-runs postinstall during npm install , any installer machine that runs npm install vps-maintenance immediately hands an interactive shell to whoever operates that endpoint, yielding arbitrary remote code execution as the installing user. There is no legitimate install-time use for a bare-IP shell bridge — this is a reverse-shell dropper, not a build helper, runtime fetch, or native-addon step. The package name ( vps-maintenance ) is a cover story; the actual behavior is a backdoor.

Source: amazon-inspector (110b8556d612185c2c6ea84731898d4f23f04658556e1ff22852f953b956e43a)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.