OSV Malicious Advisory
scanned 2h ago · by OpenSSF/OSVOpenSSF/OSV advisory MAL-2026-10530 confirms this npm version as malicious. On module load, the package's main entrypoint shells out via child_process.exec to run `cat /etc/passwd` and prints the contents to stdout. This fires unconditionally when any consumer `require()`s the package — no user action or configuration is needed...
Advisory
MAL-2026-10530
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in cbr-internal-utils (npm)
Details
On module load, the package's main entrypoint shells out via child_process.exec to run `cat /etc/passwd` and prints the contents to stdout. This fires unconditionally when any consumer `require()`s the package — no user action or configuration is needed. The package has an internal-sounding name and empty author/description metadata, consistent with a dependency-confusion probe or reconnaissance payload rather than a legitimate library. Reading /etc/passwd serves no library purpose and enumerates local user accounts on the installer's host.
Decision reason
No blocking static signals were detected.; source fingerprint signature matched known malicious package; routed for review
References
Decision evidence
public snapshotBehavioral surface
ChildProcessShell
Source & flagged code
1 flagged · loading sourceindex.jsView file
•matchType = malicious_source_fingerprint_signature
signature = 1bf94776584a372e
signatureType = suspicious_hashes
sourceLabel = Datadog
matchedPackage = justaexpformyself@2.1.5
matchedPath = index.js
matchedIdentity = npm:anVzdGFleHBmb3JteXNlbGY:2.1.5
similarity = 1.000
shingleOverlap = 1
summary = Datadog malicious npm corpus sample: samples/npm/malicious_intent/justaexpformyself/2.1.5/2025-07-22-justaexpformyself-v2.1.5.zip
High
Known Malware Source Fingerprint Signature
Source fingerprint signature matches a known malicious package signature; route for source-aware review.
index.jsView on unpkgFindings
1 High1 Low
HighKnown Malware Source Fingerprint Signatureindex.js
LowScripts Present