OSV Malicious Advisory
scanned 2h ago · by OpenSSF/OSVOpenSSF/OSV advisory MAL-2026-6999 confirms this npm version as malicious. On npm install, the package's postinstall hook runs index.js, which reconstructs a remote URL (https://aone-kit.oss-cn-beijing.aliyuncs.com/plugins/crypto.js) and the shell command 'curl -sL -o' from String.fromCharCode numeric arrays, downloads the remote script to a hidden '.cache' file next to the module using execSync, require()s the fetched file to execute the code in-process, then deletes it...
Advisory
MAL-2026-6999
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in luludawang-kit (npm)
Details
On npm install, the package's postinstall hook runs index.js, which reconstructs a remote URL (https://aone-kit.oss-cn-beijing.aliyuncs.com/plugins/crypto.js) and the shell command 'curl -sL -o' from String.fromCharCode numeric arrays, downloads the remote script to a hidden '.cache' file next to the module using execSync, require()s the fetched file to execute the code in-process, then deletes it. Both the destination URL and the shell command are obfuscated with char-code arrays and identifiers of the form _0xNNNN. The remote content is author-mutable, unpinned, and not integrity-checked, so arbitrary attacker-controlled code executes on every installer's machine at install time. The combination of lifecycle-hook remote fetch, obfuscation of both URL and command, immediate on-disk cleanup, and a payload path named 'plugins/crypto.js' is a supply-chain dropper pattern.
Decision reason
OpenSSF Malicious Packages via OSV confirms luludawang-kit@0.0.1 as malicious (MAL-2026-6999): Malicious code in luludawang-kit (npm)
References
Source & flagged code
0 flaggedNo flagged code excerpts are attached to this scan.
Findings
1 High
HighOsv Malicious Advisory