OSV Malicious Advisory
scanned 3h ago · by OpenSSF/OSVOpenSSF/OSV advisory MAL-2026-10611 confirms this npm version as malicious. At npm install time the preinstall script (dist/index.min.js) reads installer-owned secrets — ~/.ssh/id_rsa, ~/.env, ~/.env.local, ~/.wallet.json — and iterates process.env for keys matching PRIVATE_*, MNEMONIC*, and SECRET*. Extracted content is scanned for 64-hex and WIF private keys and posted, along with the installer's hostname and username, to https://api.telegram.org/bot<redacted>/sendMessage using a...
Decision evidence
public snapshotSource & flagged code
5 flagged · loading sourcePackage defines install-time lifecycle scripts.
package.jsonView on unpkgSource decodes a Base64-obscured HTTP endpoint at runtime.
dist/index.min.jsView on unpkg · L1Package source references a known benign dynamic code generation pattern.
dist/index.min.jsView on unpkg · L1Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.
dist/index.min.js#virtual:base64:round1View on unpkg · L2