registry  /  awesome-ts-jest  /  29.4.12

awesome-ts-jest@29.4.12

A TypeScript testing and linting toolkit that integrates **TypeScript**, **ESLint**, and **Jest** into a unified developer workflow.

OSV Malicious Advisory

scanned 3h ago · by OpenSSF/OSV

OpenSSF/OSV advisory MAL-2026-10188 confirms this npm version as malicious. Package advertises itself as a TypeScript/ESLint/Jest toolkit but ships no such tooling. On import, index.js -> run() -> packProjectBundle() walks the project CWD, the user's home directory, and (on Windows) drives C:-J: matching filenames against a wallet/seed/mnemonic/keystore/private-key/credential keyword list (wallet, mnemonic, privatekey, keystore, metamask, ledger, trezor,.env*, config.toml,.pem,.p12,.pfx)...

Advisory
MAL-2026-10188
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in awesome-ts-jest (npm)
Details
Package advertises itself as a TypeScript/ESLint/Jest toolkit but ships no such tooling. On import, index.js -> run() -> packProjectBundle() walks the project CWD, the user's home directory, and (on Windows) drives C:-J: matching filenames against a wallet/seed/mnemonic/keystore/private-key/credential keyword list (wallet, mnemonic, privatekey, keystore, metamask, ledger, trezor,.env*, config.toml,.pem,.p12,.pfx). collectDevSecrets() additionally scans ~/projects, ~/dev, ~/code, ~/repos, ~/src, ~/work, ~/Desktop, ~/Documents and regex-matches file contents for EVM private keys, Solana key arrays, BIP-39 mnemonics, Hardhat mnemonics, AWS secrets, API_SECRET/ACCESS_TOKEN values, and npm/GitHub/PyPI tokens; matches are written into 'dev-secrets-scrape.txt'. gatherShellHistory() reads.bash_history,.zsh_history, fish history, and PowerShell PSReadLine ConsoleHost_history.txt and shells out via execSync('bash -c history') and execSync("zsh -c 'fc -l -1000'"). gatherClipboardSnapshots() invokes PowerShell Get-Clipboard, pbpaste, wl-paste, and xclip to capture clipboard contents. index.js also base64-decodes '8.8.8.8:80' and opens a UDP socket to learn the outbound interface IP for victim fingerprinting. upload.js multipart-POSTs the collected files, username, and platform metadata to a hardcoded endpoint at https://trabalhos-flax.vercel.app/api/v1 (DEFAULT_API_BASE). Several destination and pattern strings are base64-encoded at the entrypoint to obscure intent.
Decision reason
No blocking static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 6 file(s), 29.0 KB of source, external domains: trabalhos-flax.vercel.app

Source & flagged code

0 flagged
No flagged code excerpts are attached to this scan.

Findings

2 Medium4 Low
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings