OSV Malicious Advisory
scanned 3h ago · by OpenSSF/OSVOpenSSF/OSV advisory MAL-2026-6972 confirms this npm version as malicious. The OpenSSF Package Analysis project identified '@vwfs-its/sf-sac-frontend' @ 20.1.1 (npm) as malicious.
Advisory
MAL-2026-6972
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in @vwfs-its/sf-sac-frontend (npm)
Details
The OpenSSF Package Analysis project identified '@vwfs-its/sf-sac-frontend' @ 20.1.1 (npm) as malicious.
It is considered malicious because:
- The package communicates with a domain associated with malicious activity.
- The package executes one or more commands associated with malicious behavior.
Decision reason
One or more suspicious static signals were detected.
References
Decision evidence
public snapshotBehavioral surface
ChildProcessNetwork
HighEntropyStringsUrlStrings
Source & flagged code
2 flagged · loading sourcepackage.jsonView file
•scripts.preinstall = node index.js
High
Install Time Lifecycle Scripts
Package defines install-time lifecycle scripts.
package.jsonView on unpkgindex.jsView file
1const { exec } = require('child_process');
L2: const os = require('os');
L3: const https = require('https');
L4: const http = require('http');
...
L12: return new Promise((resolve, reject) => {
L13: exec(command, (error, stdout, stderr) => {
L14: if (error) {
...
L30: pwd: '',
L31: hostname: os.hostname(),
L32: platform: os.platform(),
...
L96: if (res.statusCode >= 200 && res.statusCode < 300) {
L97: resolve({ statusCode: res.statusCode, body: responseData });
High
Sandbox Evasion Gated Capability
Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.
index.jsView on unpkg · L1Findings
2 High2 Medium3 Low
HighInstall Time Lifecycle Scriptspackage.json
HighSandbox Evasion Gated Capabilityindex.js
MediumNetwork
MediumStructural Risk Force Deep Review
LowScripts Present
LowHigh Entropy Strings
LowUrl Strings