npm

vscode-test-web @1.0.0

Vulnerability report · Last retrieved from osv.dev July 9, 2026 at 1:25 AM UTC

Malicious

OSV ID

MAL-2026-6361

Ecosystem

npm

Summary

Package occupies the unscoped npm name vscode-test-web , a likely-misreference target for the legitimate @vscode/test-web scoped package. On require() , index.js prints a banner derived from os.platform() and os.hostname() and then calls process.exit(0) at line 42, which terminates any host process that imports it. The package's own metadata (package.json description) declares the upload as a security-research proof-of-concept squat for an MSRC bug-bounty report. There is no network I/O, no shell execution, no credential or filesystem read, and no install-time lifecycle hook — the only installer-side effect is the abrupt process termination on import, which would break a build that mistakenly resolves this name instead of @vscode/test-web . Name-confusion risk is real but intent appears non-malicious; routing for human adjudication.

Source: amazon-inspector (c62d19484eeb938a92dfdcc6cbce9dba47e390676774254b0dc318702a214418)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.