OSV Malicious Advisory
scanned 3h ago · by OpenSSF/OSVOpenSSF/OSV advisory MAL-2026-10190 confirms this npm version as malicious. The postinstall script src/build.js reconstructs the strings 'https', 'POST', and the destination host 'rnjkerbf.org/P' from integer-encoded arrays via base-decoders in src/const.js and src/helpers.js, then dynamically requires the resolved module and issues an HTTPS POST to https://rnjkerbf.org/P. The value of the response header 'm' is passed directly to child_process.execSync, so arbitrary shell commands returned...
Decision evidence
public snapshotSource & flagged code
2 flagged · loading sourcePackage defines install-time lifecycle scripts.
package.jsonView on unpkgPackage source references dynamic require/import behavior.
src/tools.jsView on unpkg · L1