OSV Malicious Advisory
scanned 3h ago · by OpenSSF/OSVOpenSSF/OSV advisory MAL-2026-10436 confirms this npm version as malicious. The package jest-formatter@1.0.0 presents itself as a Jest test output formatter but its lib/collect.js imports child_process and invokes execSync with bash and zsh at lines 205 and 221. The 'collect' module name combined with shell execution via multiple shells is consistent with harvesting installer-side data (shell history, credentials, environment) from Unix hosts...
Decision evidence
public snapshotSource & flagged code
3 flagged · loading sourcePackage ships high-entropy non-source blobs.
data-backup-single.rarView on unpkgPackage ships compressed or archive-like blobs.
data-backup-single.rarView on unpkgPackage ships a nested archive or MCP bundle that was inventoried but not recursively analyzed.
data-backup-single.rarView on unpkg