xnder-sdk @11.0.3
Vulnerability report · Last retrieved from osv.dev July 8, 2026 at 10:24 PM UTC
OSV ID
MAL-2026-5491
Ecosystem
npm
Summary
The package ships scripts/script.js containing heavy obfuscation patterns (string-array shift rotation, hex-encoded numeric literals, while(!![]) control-flow flattening). Obfuscated code in install-time scripts is uncharacteristic of legitimate SDK distributions, which typically ship readable JavaScript or, at most, minified bundles. The obfuscation prevents straightforward verification of what the script does on installer machines. Without de-obfuscating the script and confirming whether it performs network I/O, credential reads, or code execution at install or require time, the specific installer-side behavior cannot be characterized.
Source: amazon-inspector (7d6bc17ad9fb1a8705ba5311c309bd7a54178d893f44c0c5ea2b19172171eb58)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.