OSV Malicious Advisory
scanned 2h ago · by OpenSSF/OSVOpenSSF/OSV advisory MAL-2026-10535 confirms this npm version as malicious. package.json declares `postinstall: node index.js`. On `npm install`, index.js branches on `os.platform()` and executes platform-specific shell commands: `osascript` on macOS, `powershell -WindowStyle Hidden -EncodedCommand <base64-UTF16LE>` on Windows, and `python3 -c 'os.system(...)'` on Linux. After the payload runs, a cleanup step renames a shipped `package.md` over `package.json` and unlinks `index.js` itself,...
Advisory
MAL-2026-10535
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in my-empty-package (npm)
Details
package.json declares `postinstall: node index.js`. On `npm install`, index.js branches on `os.platform()` and executes platform-specific shell commands: `osascript` on macOS, `powershell -WindowStyle Hidden -EncodedCommand <base64-UTF16LE>` on Windows, and `python3 -c 'os.system(...)'` on Linux. After the payload runs, a cleanup step renames a shipped `package.md` over `package.json` and unlinks `index.js` itself, removing the install-time script from disk and presenting a different manifest to any post-install inspection. The hidden-window base64-encoded PowerShell invocation is a standard malware evasion technique. Manifest swap + entrypoint self-deletion is anti-forensic behavior with no legitimate purpose. Even though the current payload body is a benign demonstration (opens the calculator), the delivery framework is a fully-functional install-time RCE dropper skeleton: any content placed in the platform branches would execute automatically on install with the user's privileges and then erase its own traces.
Decision reason
One or more suspicious static signals were detected.
References
Decision evidence
public snapshotBehavioral surface
ChildProcessFilesystem
Source & flagged code
1 flagged · loading sourcepackage.jsonView file
•scripts.postinstall = node index.js
High
Install Time Lifecycle Scripts
Package defines install-time lifecycle scripts.
package.jsonView on unpkgFindings
1 High2 Low
HighInstall Time Lifecycle Scriptspackage.json
LowScripts Present
LowFilesystem