OSV Malicious Advisory
scanned 3h ago · by OpenSSF/OSVOpenSSF/OSV advisory MAL-2026-10435 confirms this npm version as malicious. package.json declares the runtime dependency `node-runtime-utils` as `https://github.com/Hexa-devy/node-runtime-utils/archive/refs/heads/main.tar.gz` — a tarball fetched from the mutable `main` branch of a personal GitHub user's repository, with no commit SHA, tag, or integrity hash pinning...
Advisory
MAL-2026-10435
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in fetchcraft (npm)
Details
package.json declares the runtime dependency `node-runtime-utils` as `https://github.com/Hexa-devy/node-runtime-utils/archive/refs/heads/main.tar.gz` — a tarball fetched from the mutable `main` branch of a personal GitHub user's repository, with no commit SHA, tag, or integrity hash pinning. On `npm install fetchcraft`, npm downloads and installs whatever bytes that URL serves at install time, including any lifecycle scripts (preinstall/install/postinstall/prepare) shipped in the fetched tarball. Because the source is a mutable branch under a personal account rather than a registry-published package or a pinned commit, the contents can be swapped at any time without any change to fetchcraft itself, allowing arbitrary code to be executed on the installer's machine. The dependency is not referenced by the package's exported code, giving it no legitimate functional purpose.
Decision reason
OpenSSF Malicious Packages via OSV confirms fetchcraft@1.0.1 as malicious (MAL-2026-10435): Malicious code in fetchcraft (npm)
References
Source & flagged code
0 flaggedNo flagged code excerpts are attached to this scan.
Findings
1 High
HighOsv Malicious Advisory