vybscan-testbed-obfuscated-postinstall @1.0.0
Vulnerability report · Last retrieved from osv.dev July 9, 2026 at 6:28 PM UTC
OSV ID
MAL-2026-10079
Ecosystem
npm
Summary
package.json declares a postinstall lifecycle script that runs node -e "eval(Buffer.from('<base64>','base64').toString())" . Installing the package triggers execution of code that is not visible in the package source and is only materialized at install time by decoding an opaque literal. In this specific version the decoded blob is an inert console.log, but the mechanism — obfuscated-then-eval'd bytes wired into a lifecycle hook — is the canonical install-time remote-code-execution shape and has no legitimate use: it lets whoever controls the package substitute arbitrary code at install without changing readable source. The package's self-description as a testbed fixture does not neutralize the pattern; the same install-time hook would execute whatever bytes were placed in the base64 literal.
Source: amazon-inspector (cf9aee5b150e0606b1c5c2469fdab43496965a3dd5664df288d68d618e326567)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.