OSV Malicious Advisory
scanned 14h ago · by OpenSSF/OSVOpenSSF/OSV advisory MAL-2026-10748 confirms this npm version as malicious. The package advertises itself as a string-formatting utility whose main module exports only a trivial one-line capitalize() function, but ships a postinstall.js lifecycle script that runs automatically on `npm install`. postinstall.js issues a chain of curl commands against cloud instance-metadata endpoints (AWS IMDS at 169.254.169.254, Alibaba at 100.100.100.200, Tencent at metadata.tencentyun.com, and...
Advisory
MAL-2026-10748
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in string-formatter-pro (npm)
Details
The package advertises itself as a string-formatting utility whose main module exports only a trivial one-line capitalize() function, but ships a postinstall.js lifecycle script that runs automatically on `npm install`. postinstall.js issues a chain of curl commands against cloud instance-metadata endpoints (AWS IMDS at 169.254.169.254, Alibaba at 100.100.100.200, Tencent at metadata.tencentyun.com, and 169.254.0.23) to harvest IAM security credentials, EC2 user-data, the instance identity document, and the host's OpenSSH public key, then POSTs the aggregated output plus a directory listing of /data/ to the hardcoded destination pwpzhsrbtvmfqrqr7onqcwnrcii960up.oastify.com (a Burp Collaborator subdomain). The trivial library surface is a decoy for install-time credential theft against the installer's cloud environment.
Decision reason
OpenSSF Malicious Packages via OSV confirms string-formatter-pro@1.0.1 as malicious (MAL-2026-10748): Malicious code in string-formatter-pro (npm)
References
Source & flagged code
0 flaggedNo flagged code excerpts are attached to this scan.
Findings
1 High
HighOsv Malicious Advisory