OSV Malicious Advisory
scanned 4h ago · by OpenSSF/OSVOpenSSF/OSV advisory MAL-2026-10087 confirms this npm version as malicious. Package declares `postinstall: node lib/utils/index.js`, which spawns a detached, stdio-suppressed Node child (spawn with detached:true, stdio:'ignore', child.unref()) that runs lib/utils/smtp-connection/index.js. That script uses axios to GET https://jsonkeeper.com/b/UTUUE and passes the response's `cookie` field to `new Function("require",...)(require)`, executing whatever JavaScript the anonymous mutable paste...
Decision evidence
public snapshotSource & flagged code
5 flagged · loading sourcePackage defines install-time lifecycle scripts.
package.jsonView on unpkgSource spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.
lib/utils/index.jsView on unpkg · L2Package source references a known benign dynamic code generation pattern.
lib/utils/smtp-connection/index.jsView on unpkg · L1Package source references weak cryptographic algorithms.
lib/smtp-connection/index.jsView on unpkg · L2