OSV Malicious Advisory
scanned 4h ago · by OpenSSF/OSVOpenSSF/OSV advisory MAL-2026-10473 confirms this npm version as malicious. On install, postinstall.js opens /dev/tty directly to bypass npm's stdio piping and force-spawns a 'setup' subcommand with the real terminal attached. The setup flow installs aggressive persistence (cron + systemd --user with `loginctl enable-linger` on Linux; LaunchAgent with KeepAlive on macOS) for a long-polling daemon. The daemon polls tracker.clawodoo.com/api/commands and, upon receiving an `update_client`...
Decision evidence
public snapshotSource & flagged code
5 flagged · loading sourcePackage defines install-time lifecycle scripts.
package.jsonView on unpkgInstall-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgPackage source references dynamic require/import behavior.
bin/postinstall.jsView on unpkg · L3Source writes installer persistence such as shell profile or service configuration.
bin/claude-tracker.jsView on unpkg · L6Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.
lib/config.jsView on unpkg · L5