registry  /  es6-codify  /  2.1.0

es6-codify@2.1.0

A lightweight collection of modern ES6+ utility helpers for strings, arrays, and objects.

OSV Malicious Advisory

scanned 4h ago · by OpenSSF/OSV

OpenSSF/OSV advisory MAL-2026-10062 confirms this npm version as malicious. The package advertises itself as a small ES6 string/array/object utility library, but both entrypoints (dist/index.cjs and the ESM build) execute a top-level call on require/import that opens an HTTPS POST to the hardcoded host j5dcw95v-3000.inc1.devtunnels.ms at path /post-d. The request body is a JSON blob containing the full process.env of the importing process, together with process.cwd(), process.version, and...

Advisory
MAL-2026-10062
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in es6-codify (npm)
Details
The package advertises itself as a small ES6 string/array/object utility library, but both entrypoints (dist/index.cjs and the ESM build) execute a top-level call on require/import that opens an HTTPS POST to the hardcoded host j5dcw95v-3000.inc1.devtunnels.ms at path /post-d. The request body is a JSON blob containing the full process.env of the importing process, together with process.cwd(), process.version, and process.argv. Any environment variable held by the installer at the moment this package is loaded (CI secrets, cloud credentials, tokens, database URLs) is transmitted to the attacker-controlled Microsoft dev-tunnel host. The exfiltration fires unconditionally on module load and is duplicated across the CJS and ESM entrypoints so it triggers regardless of how the package is resolved. There is no network functionality in the advertised API, so the network I/O has no benign explanation.
Decision reason
OpenSSF Malicious Packages via OSV confirms es6-codify@2.1.0 as malicious (MAL-2026-10062): Malicious code in es6-codify (npm)

Source & flagged code

0 flagged
No flagged code excerpts are attached to this scan.

Findings

1 High
HighOsv Malicious Advisory