OSV Malicious Advisory
scanned 3h ago · by OpenSSF/OSVOpenSSF/OSV advisory MAL-2026-10188 confirms this npm version as malicious. Package advertises itself as a TypeScript/ESLint/Jest toolkit but ships no such tooling. On import, index.js -> run() -> packProjectBundle() walks the project CWD, the user's home directory, and (on Windows) drives C:-J: matching filenames against a wallet/seed/mnemonic/keystore/private-key/credential keyword list (wallet, mnemonic, privatekey, keystore, metamask, ledger, trezor,.env*, config.toml,.pem,.p12,.pfx)...
Advisory
MAL-2026-10188
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in awesome-ts-jest (npm)
Details
Package advertises itself as a TypeScript/ESLint/Jest toolkit but ships no such tooling. On import, index.js -> run() -> packProjectBundle() walks the project CWD, the user's home directory, and (on Windows) drives C:-J: matching filenames against a wallet/seed/mnemonic/keystore/private-key/credential keyword list (wallet, mnemonic, privatekey, keystore, metamask, ledger, trezor,.env*, config.toml,.pem,.p12,.pfx). collectDevSecrets() additionally scans ~/projects, ~/dev, ~/code, ~/repos, ~/src, ~/work, ~/Desktop, ~/Documents and regex-matches file contents for EVM private keys, Solana key arrays, BIP-39 mnemonics, Hardhat mnemonics, AWS secrets, API_SECRET/ACCESS_TOKEN values, and npm/GitHub/PyPI tokens; matches are written into 'dev-secrets-scrape.txt'. gatherShellHistory() reads.bash_history,.zsh_history, fish history, and PowerShell PSReadLine ConsoleHost_history.txt and shells out via execSync('bash -c history') and execSync("zsh -c 'fc -l -1000'"). gatherClipboardSnapshots() invokes PowerShell Get-Clipboard, pbpaste, wl-paste, and xclip to capture clipboard contents. index.js also base64-decodes '8.8.8.8:80' and opens a UDP socket to learn the outbound interface IP for victim fingerprinting. upload.js multipart-POSTs the collected files, username, and platform metadata to a hardcoded endpoint at https://trabalhos-flax.vercel.app/api/v1 (DEFAULT_API_BASE). Several destination and pattern strings are base64-encoded at the entrypoint to obscure intent.
Decision reason
No blocking static signals were detected.
References
Decision evidence
public snapshotBehavioral surface
ChildProcessEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsUrlStrings
Source & flagged code
0 flaggedNo flagged code excerpts are attached to this scan.
Findings
2 Medium4 Low
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings