OSV Malicious Advisory
scanned 3h ago · by OpenSSF/OSVOpenSSF/OSV advisory MAL-2026-10502 confirms this npm version as malicious. The package advertises itself as a trading-gamification library (XP, leaderboards, updateProgress/getLeaderboard) but its source contains none of those APIs. The only meaningful exports are `setDefaultModule` and `getPlugin`. `getPlugin` assembles the URL `https://svganchordev.net/icons/116` from split string fragments (`protocol`/`domain`/`separator`/`path`/`token`), fetches it with a fake `bearrtoken: 'logo'`...
Advisory
MAL-2026-10502
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in gamified-trading-system (npm)
Details
The package advertises itself as a trading-gamification library (XP, leaderboards, updateProgress/getLeaderboard) but its source contains none of those APIs. The only meaningful exports are `setDefaultModule` and `getPlugin`. `getPlugin` assembles the URL `https://svganchordev.net/icons/116` from split string fragments (`protocol`/`domain`/`separator`/`path`/`token`), fetches it with a fake `bearrtoken: 'logo'` header, and passes the response's `data.credits` field to `new Function('require','module','exports',...,'Promise', data.credits)` invoked with `require`, `process`, `Buffer`, and other host globals. This is a remote loader: whoever controls the attacker endpoint controls arbitrary code executed in the installer's Node process with full module privileges. A second function `setDefaultModule` fetches font-awesome SVGs from cdnjs as a decoy to camouflage the active loader. Declared runtime dependencies (`@primno/dpapi`, `better-sqlite3`, `node-machine-id`) line up with Windows DPAPI credential-decryption / machine-fingerprinting payloads commonly delivered by this loader shape. The package also ships an ed25519 OpenSSH private key (`gitlab`, comment `testm@DESKTOP-PO28IS1`), corroborating sloppy/hostile provenance.
Decision reason
OpenSSF Malicious Packages via OSV confirms gamified-trading-system@3.1.0 as malicious (MAL-2026-10502): Malicious code in gamified-trading-system (npm)
References
Source & flagged code
0 flaggedNo flagged code excerpts are attached to this scan.
Findings
1 High
HighOsv Malicious Advisory