OSV Malicious Advisory
scanned 3h ago · by OpenSSF/OSVOpenSSF/OSV advisory MAL-2026-10620 confirms this npm version as malicious. Package published as `ahooks-3.7.8` at version `13.1.1` with empty author/description/license impersonates the legitimate `ahooks` React hooks library. `package.json` declares a `preinstall` hook that runs `node index.js`, which collects the installer's hostname, platform, architecture, username/uid/gid/shell, home directory, current working directory, and the output of `whoami` and `id`, and POSTs the JSON to the...
Decision evidence
public snapshotSource & flagged code
3 flagged · loading sourcePackage defines install-time lifecycle scripts.
package.jsonView on unpkgSource gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.
index.jsView on unpkg · L1Source fingerprint signature matches a known malicious package signature; route for source-aware review.
index.jsView on unpkg