registry  /  another-poc-by-tipsen  /  1.0.0

another-poc-by-tipsen@1.0.0

OSV Malicious Advisory

scanned 3h ago · by OpenSSF/OSV

OpenSSF/OSV advisory MAL-2026-10283 confirms this npm version as malicious. package.json declares a dependency `safe-chain-test` sourced from a tarball URL on an anonymous Cloudflare tunnel host (`periods-parcel-pittsburgh-upgrading.trycloudflare.com`) rather than the npm registry or a pinned git SHA. On `npm install`, npm fetches and installs whatever bytes that ephemeral, publisher-controlled host serves at the moment of resolution, bypassing registry scanning and integrity pinning...

Advisory
MAL-2026-10283
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in another-poc-by-tipsen (npm)
Details
package.json declares a dependency `safe-chain-test` sourced from a tarball URL on an anonymous Cloudflare tunnel host (`periods-parcel-pittsburgh-upgrading.trycloudflare.com`) rather than the npm registry or a pinned git SHA. On `npm install`, npm fetches and installs whatever bytes that ephemeral, publisher-controlled host serves at the moment of resolution, bypassing registry scanning and integrity pinning. The tunnel operator can change the served bytes at any time, so the installer's dependency graph resolves to arbitrary, unverifiable code executed with the transitive package's install-time and require-time privileges. The package itself is otherwise empty (only package.json and README.md; declared `main` index.js is absent), so the sole effect of installing it is to pull in the tunnel-hosted tarball. ## Source: ghsa-malware (52f519ab22257fd32777887f2f2c2109c13d6be8c4a0d8bb36ea5993e9c837e4) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.
Decision reason
OpenSSF Malicious Packages via OSV confirms another-poc-by-tipsen@1.0.0 as malicious (MAL-2026-10283): Malicious code in another-poc-by-tipsen (npm)

Source & flagged code

0 flagged
No flagged code excerpts are attached to this scan.

Findings

1 High
HighOsv Malicious Advisory