OSV Malicious Advisory
scanned 3h ago · by OpenSSF/OSVOpenSSF/OSV advisory MAL-2026-10611 confirms this npm version as malicious. At npm install time the preinstall script (dist/index.min.js) reads installer-owned secrets — ~/.ssh/id_rsa, ~/.env, ~/.env.local, ~/.wallet.json — and iterates process.env for keys matching PRIVATE_*, MNEMONIC*, and SECRET*. Extracted content is scanned for 64-hex and WIF private keys and posted, along with the installer's hostname and username, to https://api.telegram.org/bot<redacted>/sendMessage using a...
Decision evidence
public snapshotSource & flagged code
4 flagged · loading sourcePackage defines install-time lifecycle scripts.
package.jsonView on unpkgPackage source references a known benign dynamic code generation pattern.
dist/index.min.jsView on unpkg · L1Source collects local host identity data and sends it to an external endpoint.
dist/index.min.js#virtual:base64:round1View on unpkg · L4