registry  /  security-node  /  1.1.4

security-node@1.1.4

NPM

OSV Malicious Advisory

scanned 3h ago · by OpenSSF/OSV

OpenSSF/OSV advisory MAL-2026-10107 confirms this npm version as malicious. package.json declares the package's own name as both a dependency and devDependency pointing to http://pack.nppacks.com/npm/security-node, a non-npm-registry host served over plaintext HTTP...

Advisory
MAL-2026-10107
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in security-node (npm)
Details
package.json declares the package's own name as both a dependency and devDependency pointing to http://pack.nppacks.com/npm/security-node, a non-npm-registry host served over plaintext HTTP. On `npm install`, npm fetches whatever tarball that URL currently serves and installs it as node_modules/security-node, replacing the registry-published contents with code delivered from a mutable third-party host over an unauthenticated channel. This bypasses registry-side scanning and version pinning; the operator of pack.nppacks.com (or any on-path MITM against the plain-HTTP fetch) controls the code that lands in the installer's node_modules on every install. The shipped index.js itself is a benign Babel DefinePlugin-style transform with a self-declared 'Security Research Testing Purpose' header comment, but the tarball substitution mechanism is the installer-harm surface, independent of the current in-tarball code.
Decision reason
OpenSSF Malicious Packages via OSV confirms security-node@1.1.4 as malicious (MAL-2026-10107): Malicious code in security-node (npm)

Source & flagged code

0 flagged
No flagged code excerpts are attached to this scan.

Findings

1 High
HighOsv Malicious Advisory