registry  /  bvm-core  /  1.1.42

bvm-core@1.1.42

Bun version manager with reliable public-mirror downloads for mainland China, cross-platform switching, and runtime isolation.

OSV Malicious Advisory

scanned 14h ago · by OpenSSF/OSV

OpenSSF/OSV advisory MAL-2026-10728 confirms this npm version as malicious. dist/index.js in bvm-core@1.1.43 imports child_process and issues fetch() calls to the hardcoded host https://bvm-core.nexsail.top at the top of the bundled module, alongside a secondary fetch to registry.npmmirror.com...

Advisory
MAL-2026-10728
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in bvm-core (npm)
Details
dist/index.js in bvm-core@1.1.43 imports child_process and issues fetch() calls to the hardcoded host https://bvm-core.nexsail.top at the top of the bundled module, alongside a secondary fetch to registry.npmmirror.com. The combination — a lookalike domain that mirrors the package name on an unrelated TLD, module-load-time network calls, and child_process usage in the same bundle — is the fingerprint of an install/import-time beacon and command execution channel, not a legitimate SDK call. The package name resembles established `bvm` version-manager tooling but the code routes traffic to an author-controlled host on nexsail.top rather than to any documented registry or vendor endpoint.
Decision reason
OpenSSF Malicious Packages via OSV confirms bvm-core@1.1.42 as malicious (MAL-2026-10728): Malicious code in bvm-core (npm)

Source & flagged code

0 flagged
No flagged code excerpts are attached to this scan.

Findings

1 High
HighOsv Malicious Advisory