OSV Malicious Advisory
scanned 8h ago · by OpenSSF/OSVOpenSSF/OSV advisory MAL-2026-10451 confirms this npm version as malicious. Package name typosquats the legitimate `gifuct-js` GIF parser and re-exports it as cover. On module load, code reconstructs the host `filament-zap.vercel.app` and paths `/service/assets/fetchBinary` / `/service/assets/fetchLinuxBinary` from String.fromCharCode numeric arrays, downloads a platform-specific executable, writes it to a `WinMetrics`/`WinService.exe` path under the user data directory, chmods it 0755 on...
Decision evidence
public snapshotSource & flagged code
4 flagged · loading sourceA single source file combines environment access, network access, and code or shell execution; review context before blocking.
index.jsView on unpkg · L2Source file is highly similar to a previously finalized malicious package; route for source-aware review.
index.jsView on unpkgSource fingerprint signature matches a known malicious package signature; route for source-aware review.
index.jsView on unpkg