registry  /  cbr-internal-utils  /  2.2.2

cbr-internal-utils@2.2.2

OSV Malicious Advisory

scanned 2h ago · by OpenSSF/OSV

OpenSSF/OSV advisory MAL-2026-10530 confirms this npm version as malicious. On module load, the package's main entrypoint shells out via child_process.exec to run `cat /etc/passwd` and prints the contents to stdout. This fires unconditionally when any consumer `require()`s the package — no user action or configuration is needed...

Advisory
MAL-2026-10530
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in cbr-internal-utils (npm)
Details
On module load, the package's main entrypoint shells out via child_process.exec to run `cat /etc/passwd` and prints the contents to stdout. This fires unconditionally when any consumer `require()`s the package — no user action or configuration is needed. The package has an internal-sounding name and empty author/description metadata, consistent with a dependency-confusion probe or reconnaissance payload rather than a legitimate library. Reading /etc/passwd serves no library purpose and enumerates local user accounts on the installer's host.
Decision reason
No blocking static signals were detected.; source fingerprint signature matched known malicious package; routed for review

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessShell
Supply chainNo supply-chain packaging signals triggered.
ManifestNo manifest risk signals triggered.
scanned 1 file(s), 364 B of source

Source & flagged code

1 flagged · loading source
index.jsView file
matchType = malicious_source_fingerprint_signature signature = 1bf94776584a372e signatureType = suspicious_hashes sourceLabel = Datadog matchedPackage = justaexpformyself@2.1.5 matchedPath = index.js matchedIdentity = npm:anVzdGFleHBmb3JteXNlbGY:2.1.5 similarity = 1.000 shingleOverlap = 1 summary = Datadog malicious npm corpus sample: samples/npm/malicious_intent/justaexpformyself/2.1.5/2025-07-22-justaexpformyself-v2.1.5.zip
High
Known Malware Source Fingerprint Signature

Source fingerprint signature matches a known malicious package signature; route for source-aware review.

index.jsView on unpkg

Findings

1 High1 Low
HighKnown Malware Source Fingerprint Signatureindex.js
LowScripts Present