registry  /  my-empty-package  /  1.0.0

my-empty-package@1.0.0

An empty npm package

OSV Malicious Advisory

scanned 2h ago · by OpenSSF/OSV

OpenSSF/OSV advisory MAL-2026-10535 confirms this npm version as malicious. package.json declares `postinstall: node index.js`. On `npm install`, index.js branches on `os.platform()` and executes platform-specific shell commands: `osascript` on macOS, `powershell -WindowStyle Hidden -EncodedCommand <base64-UTF16LE>` on Windows, and `python3 -c 'os.system(...)'` on Linux. After the payload runs, a cleanup step renames a shipped `package.md` over `package.json` and unlinks `index.js` itself,...

Advisory
MAL-2026-10535
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in my-empty-package (npm)
Details
package.json declares `postinstall: node index.js`. On `npm install`, index.js branches on `os.platform()` and executes platform-specific shell commands: `osascript` on macOS, `powershell -WindowStyle Hidden -EncodedCommand <base64-UTF16LE>` on Windows, and `python3 -c 'os.system(...)'` on Linux. After the payload runs, a cleanup step renames a shipped `package.md` over `package.json` and unlinks `index.js` itself, removing the install-time script from disk and presenting a different manifest to any post-install inspection. The hidden-window base64-encoded PowerShell invocation is a standard malware evasion technique. Manifest swap + entrypoint self-deletion is anti-forensic behavior with no legitimate purpose. Even though the current payload body is a benign demonstration (opens the calculator), the delivery framework is a fully-functional install-time RCE dropper skeleton: any content placed in the platform branches would execute automatically on install with the user's privileges and then erase its own traces.
Decision reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessFilesystem
Supply chainNo supply-chain packaging signals triggered.
ManifestNo manifest risk signals triggered.
scanned 1 file(s), 1.24 KB of source

Source & flagged code

1 flagged · loading source
package.jsonView file
scripts.postinstall = node index.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg

Findings

1 High2 Low
HighInstall Time Lifecycle Scriptspackage.json
LowScripts Present
LowFilesystem